7-2 Final Project Milestone
docx
keyboard_arrow_up
School
Southern New Hampshire University *
*We aren’t endorsed by this school
Course
549
Subject
Information Systems
Date
Feb 20, 2024
Type
docx
Pages
14
Uploaded by CountWildcatMaster7
7-2 FINAL PROJECT MILESTONE FOUR
Statements of Policy
Hanah Deering
IT-549 Foundation in Information Assurance
Incident Response Protocols
Targets incident response protocols are critically important in the event of any type of cybercrime, data loss, and loss of availability that threatens daily business functions. These protocols identify a structured process that Target follows to identify and respond to already identified vulnerabilities or security emergencies. Essentially, how does Target handle identified vulnerabilities that exist within the organization, and what is the process that is followed in the event of a data breach? Following sufficient incident response protocols provides Target with a course of action in the event of significant incidents. Incidents can lead to massive data breaches,
as Target has already experienced, that not only affect the organization directly, but also its customers. These impacts can be felt for days or even months. This is why thorough, detailed incident response protocols need to be followed to help Target stop, contain, and control the incident at hand. Some of the vulnerabilities and threats of Target that has been affecting information assurance and best practices are:
Unsegmented Network – Network segmentation is when an organization breaks a larger network, into smaller parts to improve network performance and the security of the overall network. Target’s use of an unsegmented network presents attackers with a greater
attack surface. This allows attackers to move laterally through a network, and potentially accessing critical information easily. After an attacker can gain access to Targets internal network, attackers are able to easily install malware/ransomware due to the lack of separation throughout the internal network, maximizing the number of hosts that the attacker can exploit. Creating segmented networks makes the overall management of the
network easier and ensures critical parts of the network are isolated in the event of a security breach.
Social Engineering Un
awareness of Employees/Phishing Emails – Social Engineering attacks rely on the weaknesses within humans (employees) for attackers to gain unauthorized access to internal Target systems. Attackers will use manipulation methods such as phishing emails to get credentials (username and password) that will allow attackers to exploit data. It is important that Target employees and vendors know their importance of protecting the front line against attackers and are aware of how to properly identify phishing attempts and the repercussions that come from falling for social engineering.
Improper configuration of Intrusion Detection Systems – Intrusion Detection System’s (IDSs) “
use heuristics and complex machine learning algorithms based on behavioral modelling to make intelligent guesses.
” (Proud, 2018) Target had a deployed IDS Fire Eye
that was improperly acknowledged when throwing alarms to let the security department know that there was an attacker within the network. Had the security staff followed the proper incident response protocols, the attacker would have never made it to
the Point-of-Sale (POS) systems to install malware. It is important that baselines of behavior be created on all alarm systems, and security personal are properly training on how to handle incident response.
Third-Party Vendor Assessments – Target works with third party vendors daily, and some of these third-party vendors have access to Targets internal systems. We saw this in the 2013 Target data breach when a HVAC company was remotely accessing Targets HVAC systems. Granting third party vendors access to internal networks can affect the security
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
of the organization without proper vendor management. Properly evaluating the security posture of third-party vendors mitigates this persistent threat to Target. Ensuring that third
parties have strong security practices and are compliant with appropriate compliance certifications, addresses the security posture of who Target allows to access their system. As these are just some of the threats and vulnerabilities that are present to Target, it is important that the company responses to any incident that may occur because of the security threats. Following incident response protocols guides the entire organization through an incident to ensure that the business can return to normal operations in a timely manner and reduce the risk of
data exploitation. Incident response protocols are often initiated as soon as an IDS alarms, in which at that point the incident response team oversees following incident response protocols to resolve the incident. These guides against the different type of threats/vulnerabilities are usually outlined in organization playbooks. Referring to the identified threats/vulnerabilities above, lets identify the incident response protocols:
Unsegmented Network – After an attacker can breach the perimeter of a network, it is critical
to isolate any devices or systems that have been identified. This can mean closing
any identified asset (whether it’s an account, device, or system) to prevent attackers from exposing anything further. After the effected asset is isolated, incident response protocols must be extended to examining the damage. This involved assessing what systems/data has been access so then the organization is better equipped to deal with the breach.
Social Engineering – It is important for Target to bring social engineering awareness to its
employees. Employees are the first line of defense against attackers, and being aware of what phishing attempts look like are critical in the success of the organization’s security posture. Incident response protocols against this threat include raising social engineering
awareness measures by annual phishing trainings and monthly phishing simulations for employees. If an attacker is successful at a phishing attempt, it is vitally important that the employee knows how to properly report the successful attempt. Once management is notified of compromise credentials, the employees compromised account needs to be shut
down to mitigate the exposure of information through their access. New firewall rules will also be a part of Targets incident response protocol, given that these firewall rules will control who can access what, from where.
Intrusion Detection System – One of the reasons that the 2013 Target breach was successful was because the alarms that the IDS went unnoticed and not responded to. If an IDS triggers an alarm, it indicates that there is or has been an attack. The Incident Response team first needs to acknowledgement of the alarms, even if it was a false-
positive. Once the team can determine if the attack was legitimate or not, the attack needs
to be investigated, this also entails gathering indicators on compromise. At this point, Target personal will determine the extent of exposure (what data was exploited). Following the correct incident response protocols will ensure that alarms by security tools
are taken seriously before they seriously affect the data/information within Targets systems.
Third-Party Vendor Assessment – It is unavoidable that organizations like Target will engage in multiple third-party vendor relationships. This is why it is vitally important for Target to have a solid vendor management program to properly address and vet vendors cybersecurity posture and security practices to ensure that the vendor themselves are not risks to the organization. If a third-party vendor experiences a breach, it is important for Target to ensure that their information/access has not been compromised as well. Incident
response protocols that need to be followed in the event of a third-party vendor experiencing a data breach is firstly, consider the relationship between the two organizations and what the business use case is for the relationship. This gives Target insight as to what information or level of access the vendor would have had to Target sensitive information. If remote access has been granted to a vendor, this access needs to be stopped immediately. Target then must contact the vendor directly to properly address the potential of exposure. Justification of Incident Response Protocols
Incidents can lead to massive data breaches, as Target has already experienced, that not only affect the organization directly, but also its customers. These impacts can be felt for days or even months. This is why thorough, detailed incident response protocols need to be followed to help Target stop, contain, and control the incident at hand. Putting these incident response protocols in
place will mitigate the identified threats and vulnerabilities.
Attackers can move laterally through an unsegmented network, therefor following the proper incident response protocols in the event of a breach when the network is unsegmented will shut down the attacker’s access and isolate the effect host. This ensures
that the attack stays isolated from critical parts of the network.
Phishing emails are sent with the intent to gain access to internal systems using employee
credentials, to following the correct protocols in the event of a successful phishing attempt will mitigate the access of the compromised account (attackers) to sensitive business information. Also, bringing social engineering awareness to Target reduces the risk of successful social engineering overall.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
Intrusion Detection Systems (IDSs) help to identify breaches quickly and following incident response protocols helps to mitigate the spread of the breach to other parts of the network and areas that hold sensitive information. Proper response to IDS alarms can help Target from letting a small breach attempt turn into a 2013 breach.
Through proper vendor management, it is a proper incident response protocol to also consider the security posture of vendors that the organization has relations with. If a vendor is breached, following proper protocol can stop the threat of exposure of Targets internal systems if a third-party was breached. It is also important to understand what information/data the vendor may have that would impact Target to understand what protocols needs to be followed to mitigate exposure. Disaster Response Protocols
Following disaster response protocols prepares not only the network, but also employees for crises and can mitigate the damage caused by a disaster. These protocols provide Target with a documented, structure approach that describe how the organization responds to any unplanned incidents. Disaster Recovery and Business Continuity Policies govern the response protocols to the various threats and vulnerabilities. Some of the disasters that Target plans for in their policies
are systems/application/communication failure, power outage, natural disaster, and cyber-attacks.
The main objectives of disaster response protocols are to minimalize the negative effect on Targets business operations if any of the said should occur. The disaster recovery protocols include the following:
The identification of the critical systems
The key leaders and staff members that are responsible for the identified critical systems
The RTO and RPO
Outlined steps of how to restart, reconfigure, and recover the identified systems
Disaster recovery protocols also establish communication plans, on how crisis communication will be handled throughout Target. “
Examples of internal communication include instructions to evacuate the building and meet at designated places, updates on the progress of the situation and notices when it's safe to return to the building.” (Brush, 2022) Disasters such a Denial of Service (DoS) and SQL Injection attacks have various disaster response protocols. Target follows internal
protocols in the event of disasters like such. Disaster recovery protocols ensure proper response to the identified threats. Some of these outlined protocols are:
Systems/application/communication failure – In the event of a system/application/communication failure, Target has set up redundancy for business to become functional again. This consist of redundant circuits and servers to bring services back up. In the event of data loss, Target completes backups (file copies) to be able to reestablish business critical information. In the event of data loss, backups ensure that data can be restored.
Power outage – In the event of a power outage, Target has multiple generators that can handle the power load of their data center and headquarters. This allows for business to continue even in the event of the area not having power.
Natural disasters – In the event of an unforeseen natural disaster striking, Target has established both hot and warm sites that allow for business to be transferred to a different location. Hot sites are fully functioning sites that allow for Target to essentially pick up where they left off at while at headquarters. Backups allow for there to be no data loss.
Targets establishment of having disaster recovery protocols in place is just the first step, however
they are meaningless if they go untested. Testing of these protocols identifies any deficiencies and gaps within the protocols, giving Target the opportunity to improve their disaster recovery protocols before an emergency happens. In the ever-changing world of technology, testing also gives Target to ensure that their disaster recovery protocols stay up to date with real-world security trends. Tabletop exercises help demonstrate to team members what their duties are in the
event of an emergency. Justification of Disaster Response Protocols
These disaster response protocols are ensured to be effective through consistent testing. Managements support ensures the proper support of security policies and incident handling by ensuring the proper allocation of resources in the event of an emergency. Regularly assessing the threats and vulnerabilities within Target ensure that disaster recovery protocols stay up to date. Patch management policies and configuration management help to mitigate the likeliness of vulnerabilities in Targets environment, ensuring the enforcement of correct configuration. Regular testing of disaster recovery protocols ensures that every key player knows their part and that the protocols are effective in mitigating the impact that emergencies have to the organization. Access Control Protocols
Access control protocols are critical components to the cybersecurity posture of Target. Following these protocols ensures that “
the right users have the right level of access to the right
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
resources.” (Fortinet, 2023) There are several components that manage access control protocols. Authentication verifies the identity of a user’s, essentially is this personal who they claim to really be. This is usually done with authentication methods such as a username and password, and sometimes even Two-Factor Authentication (2FA) such as biometrics. However, authentication alone is not sufficient to properly protect Targets data. Authorization specifies each users’ rights and privilege to resources. After a user’s identity is authenticated, what resources do they have access to? Access control protocols ensure that only the proper individuals have access to only the proper information/data. Access controls protocols can fall into one of the following categories, which implements a way to safeguard data and users:
Role-Based Access Control (RBAC) – Permissions and actions are granted by an employee’s role within the company.
Mandatory Access Control (MAC) – Permissions are determined by an individual’s request to be able to access the data and resources that they need. This generally entails the Identity Access and Management Department adding users to specific groups to have access.
Discretionary Access Control (DAC) – Permissions are determined by if the data owner approves granting access on a per user basis. Target implements Role-Based Access Control to develop appropriate access control throughout the organization. This ensures access is based off least-privilege access to ensure the proper safeguarding of the data/information with Target’s system is not access by an unauthorized individual. Information assurance is heightened by an Access Control Policy and access control
protocols to protect the integrity of users and avoid the compromise of any organizational assets. Levels of access is granted by position and rank within Target. This helps to identify the compromised systems quickly in the event of a data breach. For example, a customer service representative would have drastically less access than the CEO of a company. Justification of Access Control Protocols
To address the security threats and the integrity of users in Target, it is critically important to have access control protocols in place. Using a Role-Based Access Control (RBAC) approach ensures that users are granted access based off a least privilege access, only granting access to systems and information that is needed to complete daily job functions. Not only is authentication and authorization (as previously identified) important, but the audit of access control protocols is as well. “Organizations can enforce the principle of least privilege through the access control audit process. This enables them to gather data around user activity and analyze that information to discover potential access violations.” (Fortinet, 2023) Access control protocols used within Target also extend to the use of Two-Factor Authentication (2FA) through Microsoft Duo on all business-critical systems and applications. This ensures that even in the event of compromised username and passwords, that the systems have an extra layer of security. Access control protocols are also extended to devices as well through Targets use of Network Access Control (NAC). It is important for Target to address the growth of devices accessing the network. “
A NAC system can deny network access to noncompliant devices, place them in a quarantined area, or give them only restricted access to computing resources, thus keeping
insecure nodes from infecting the network.” (Cisco, 2023) This mitigates the risks associated with the devices on Targets network through an access control protocol. Having access control protocols in place ensures that even if credentials are compromised, an attacker would not be able to have full, unrestricted access to everything in Targets internal network. These can also prevent data breaches as they provide a high level of user and data protection against security threats and the integrity of the users in Target. Method of Maintaining the Information Assurance Plan
Establishing the Information Assurance Plan is just one step for Target, however maintaining the Information Assurance Plan is just as important. Without the proper maintaining, the Information
Assurance Plan is just simply words on a piece of paper. Target must commit to building a conscious cybersecurity culture. According to the PCI Security Standards Council, this effort revolves around:
A social engineering awareness program that brings security awareness to all users
Guidelines on the proper storage and disposal of data
Audits of all systems to ensure compliance with not on governing laws and regulations, but also Targets internal Information Assurance Plan
Apply the proper configuration and patch management process to all systems and servers to ensure devices are kept up to date
Follow the proper incident response protocols
Employ a Security Operations Center (SOC) team to monitor incidents and respond
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
Justification of Maintaining the Information Assurance Plan
Cybersecurity posture needs to be a top-priority for Target because of the nature of the data/information that is handled. Loopholes for hackers to attack the system are created internally, and sometimes unintentionally. Areas that include the need to establishing and maintaining policies within the Information Assurance Plan are social engineering awareness, asset management, incident response, patch management, disaster recovery/business continuity and password management (just to name a few). Following the best practices outlined in the Information Assurance Plan that relate to these identified topics will ensure that ongoing effectiveness of the overall IA Plan.
Citations
Brush, K. (2022, May 18).
What is a disaster recovery plan (DRP) and how do you write one?
. Disaster Recovery. https://www.techtarget.com/searchdisasterrecovery/definition/disaster-
recovery-plan
Cisco. (2023, July 24).
What is Network Access Control (NAC)?
https://www.cisco.com/c/en/us/products/security/what-is-network-access-control-
nac.html
Fortinet. (2023).
What is access control? - network cybersecurity systems
. https://www.fortinet.com/resources/cyberglossary/access-control
Best practices for implementing a security awareness ...
PCI Security Standards. (2014). https://www.pcisecuritystandards.org/documents/PCI_DSS_V1.0_Best_Practices_for_Impl
ementing_Security_Awareness_Program.pdf
Proud, J. (2018, March 12).
Simple heuristics that make algorithms smart
. Behavioral Scientist. https://behavioralscientist.org/simple-heuristics-that-make-algorithms-smart/