Daniel Nkansah C843
docx
keyboard_arrow_up
School
Western Governors University *
*We aren’t endorsed by this school
Course
C844
Subject
Information Systems
Date
Feb 20, 2024
Type
docx
Pages
9
Uploaded by MegaFox4009
Daniel Nkansah
Managing Information Security - C843
January 27, 2024
Part 1
a.
There are several factors that contributed to this attack being successful, Azumer has taken a very passive approach towards cybersecurity and the security program in Azumer is flawed on many levels, which is always going to be a disaster for the company. The company’s network is access to the volunteers from the personal computers, because Azumer has no VPN solution for volunteers connecting from outside the main office. Hence anyone who has the right credentials can connect to the network and access resources.
Azumer had also deferred the implementation of their firewall solution hence any traffic entering the company network was not being filtered or blocked.
Database was being stored on a local machine, not only was it stored on a local machine but there were no backups of the database. Occasional copies we created on USB drives, which is also a problem. This means whenever something happens to the database, all data will be lost.
Some full-time employees were given access to the database, no explanations as to if these employees needed to be given access to the database or if their job role and responsibilities required access.
Password policies were not being enforced and some employees have never changed their
password.
No mention of any email security tool to catch phishing emails or attacks, so any phishing email will easily make its way into user inbox.
Azumer employees seem to either not be getting security training or the employees are just not practicing what is being taught in the training because everyone seems to have failed not clicking on suspicious links or unrecognized senders.
All these vulnerabilities contributed to the attack being successful.
b.
Standards for PII confidentiality are provided by NIST SP 800-122. According to McCallister et al. (2010), 4.1.2, "Awareness, training, and education are distinct activities,
each critical to the success of privacy and security programs. It shows how confidentiality
has been broken because an unauthorized hacktivist group who shouldn’t have access to volunteer PII has stolen the PII. Even in the company, some employees had access to the database when, database access should be restricted to only people who need access to database to be able to do their jobs.
John not being able to find database indicates the data has been tampered with or stolen, in this case, even if we do find the database, we cannot be sure the data in there will be accurate and correct, and we don’t have a backup to compare it to. NIST SP 800-12 outlines how the integrity of the network and database could have been protected. But Azumer failed to put any security measure to ensure integrit
y.
Availability has certainly been broken because even the administrator cannot find the database so it is definitely not available to be used, NIST 800-61 provides guidance on having clean backups on systems, so we can restore systems if there is an incident, in the
case of Azumer, there was no clean, trusted backup available, indicating availability was definitely broken.
c.
Azumer Water must follow the same federal regulations that apply to FEMA in its capacity as an affiliate of the Federal Emergency Management Agency (FEMA). Their adherence to the federal regulations found in 44 C.F.R. has not succeeded due to the network intrusion. (Emergency Assistance and Management, 2020). The attack in question specifically contravened 44 C.F.R. 6.6, which mandates that systems managers establish suitable administrative, technical, and physical safeguards to guarantee the security and confidentiality of records. Additionally, they must guard against potential threats or hazards to the security or integrity of records that could cause significant harm, embarrassment, inconvenience, or unfairness to any individual the information is maintained about. (Protecting Information Systems, 2020). One of the examples given in the case study to show how Azumer Water did not comply is how they handled Personally Identifiable Information (PII) that was physically in their possession, especially paper papers. Azumer's noncompliance with rules stems from their insufficient PII storage procedures and lack of suitable security protocols to ensure its protection. d.
Immediate plans include, informing all parties who have their PII compromised about the
breach, especially the volunteers. John’s computer, database computer, as well as all others user computers that were involved in clicking any suspicious links need to be isolated immediately and investigated. Any indicators of compromise need to be noted, a thorough scan needs to be
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
conducted and all viruses/malwares needs to be removed immediately/ reimage devices. Any other devices that have symptoms of the indicators or compromise need to be isolated as well. The most copy of the USB drives need to be scanned for malware, if it safe, then the data it holds can be used to create a new database, ensuring it is setup up on
an independent server with firewall rules in place. The firewall solutions can be implemented immediately to block any transfer of files from leaving the network, ensuring that common file transfer ports are restricted as well defining access polices.
e.
Had Azumer Water put an incident response strategy into place, the attack's effects might have been lessened. A plan like this would have provided a methodical way to deal with this particular attack as well as any others that might happen, guaranteeing a timely, well-
planned, and organized reaction. Incorporating a solution requiring the security officer to be notified immediately of any suspected network breach would have allowed the business to act before any data was altered or compromised. The strategy might have also
included the steps required to separate the compromised system from the rest of the network, which would have prevented the infection from spreading. Additionally, the plan might have included a description of the procedures needed to recover and restore any damaged data as a consequence. Moving forward, Azumer will be able to benefit from following the NIST 800-61, to be able to stay proactive when it comes to handling on incidents.
Part 2
f.
Ways to improve information assurance levels include:
1.
Creating regular backups of the database and always maintaining a clean backup of the database that can be used if there is ever another incident, this will help avoid the previous scenario and will ensure the backup is always trusted and the data in the backup has not been tampered.
2.
Implementing a strong password policy, users should be required to change their passwords every 3-6 months, password complexity should be enforced to be 8 characters or longer, include special characters and number, it will be great to adopt solid MFA solution to add a layer of security when users log into systems.
3.
Employee training should be a requirement for every employee once hired, and yearly
after, all employees should be aware of the best practice and what their responsibilities are when it comes security, security should be a team effort that the entire company is working towards.
g.
Azumer must make sure Pruhart Tech completes the work of installing and configuring the firewalls and regularly performs vulnerability assessments to find possible threats before they can be exploited. As a first line of protection, if possible, it would be wise to put in place an Intrusion Detection and Prevention system. Employees should take periodic refresher courses and obtain information security training to reduce the possibility of human error. Anti-malware software needs to be installed on all networked computers, and automatic scans ought to be run on a regular basis. The automatic enforcement of operating system upgrades should be put in place as soon as known vulnerabilities are discovered.
h.
Only 11 full-time employees make up Azumer Water, a relatively tiny company, one of them is the recently hired information security officer. It would not be possible for Azumer to establish a strong IT team given their modest size. Azumer might profit from having a helpdesk employee as their initial point of contact. This individual could assist volunteers and staff with IT problems. Everything pertaining to security will fall under the purview of the information security officer. This will cover mobile devices, workstations, networks, etc. The CEO would have final say over both roles. The CEO would be the one to approve purchases, approve projects, and provide feedback on policies and procedures. If we had a working connection with a Managed Services Partner (MSP), Azumer would also be in a perfect position to have someone on hand to help with the bigger problems that the internal team is ill-equipped to manage. In the future, the MSP would be a priceless resource for giving Azumer guidance.
i.
Risk 1, Phishing
Likelihood: High. Lack of user awareness training. Not following acceptable use policy and established federal policies for password complexity.
Severity: High. Loss of data, possibly PII. Loss of volunteers. Puts volunteers at risk of identity theft. All systems connected to the network are at risk.
Impact: High. Data is stolen, deleted or corrupted. Businesses reputation is at risk. Reputation being ruined may collapse company as well.
Risk 2, Password Compromise
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
Likelihood: High. It is very likely for brute force attacks to occur since users don’t even change their password, password complexity is not enforced, and users may voluntarily enter their password on a malicious site due to lack of training.
Severity: High. This is a multi-layered issue, password compromised means, company accounts and systems will be compromised, hackers and threat actors will land their hands on sensitive information, reputation of the company will be ruined as well as the legal issues the company could face for not being in line with federal and industry policies.
Impact: High. Could lead to identity theft of customers and employees, company reputation will be in shambles. Most small companies never recover from cyber-attacks, so the company be shut down forever.
My risk management approach would be for Azumer follow the risk management framework outlined in NIST 800-37, Rev 2, 2018. Which are: 1. Prepare: Undertake essential activities at the organizational, mission, and business processes to
prepare the organization for managing security and privacy risks using the NIST Risk Management Framework.
2. Categorize: Determining the adverse impact on organizational operations and assets, individuals, other organizations, and the nation in terms of confidentiality, integrity, and availability of systems and processed information when incidents occur.
3. Select: Choose, customize, and document controls necessary to protect the information system
and organization in line with the risk to organizational operations, assets, individuals, other organizations and third parties.
4. Implement: Implement the controls specified in security and privacy plans for both the system and the organization as well as documenting the detailed implementation in a baseline configuration.
5. Assess: Evaluate whether the selected controls are correctly implemented, operating as intended, and producing the desired results regarding meeting security and privacy requirements for the system and the organization.
6. Authorize: Provide organizational accountability by requiring a senior management official and executives to determine the acceptability of security and privacy risks, including supply chain risk, to organizational operations, assets, individuals, other organizations based on system operation or common control usage.
7. Monitor: Maintain ongoing situational awareness of the security and privacy posture of the information system and the organization in support of risk management decisions.
References
Emergency Management and Assistance. 44 C.F.R (August, 2020). Retrieved from https://www.govregs.com/regulations/title44
McCallister, E., Grance, T., & Scarfone, K. (April, 2010). Guide to Protecting the Confidentiality of Personally Identifiable Information (PII). National Institute of Standards and Technology. Retrieved from https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-122.pdf
Safeguarding systems of records, 44 C.F.R. § 6.6 (August, 2020).https://www.govregs.com/regulations/title44_chapterI_part6_subpartA_section6.6
Erika McCallister, Tim Grance, Karen Scarfone. Guide to Protecting the Confidentiality of Personally Identifiable Information (PII). April 2010. Retrieved from NIST SP 800-
122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) NIST Special Publication 800-37 Revision 2, December 2018, Risk Management Framework for Information Systems and Organizations. Retrieved from Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy (nist.gov) Cichonski, P. R., Millar, T., Grance, T., & Scarfone, K. (2012).
Computer Security Incident Handling Guide : Recommendations of the National Institute of Standards and Technology
.
https://doi.org/10.6028/nist.sp.800-61r2
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help