SlideShare une entreprise Scribd logo

Running head Risk Assessment Repot (RAR) .docx

Télécharger en tant que DOCX, PDF
S
SUBHI7

Running head: Risk Assessment Repot (RAR) 1 Risk Assessment Report (RAR) 8 Risk Assessment Report (RAR) CYB 610: Cyberspace and Cybersecurity Foundations Me University of Maryland University College Purpose The purpose of this risk assessment is to evaluate the adequacy of the Amazon Corporation's security. This risk assessment report provides a structured but qualitative assessment of the operational environment for Amazon corporations. It addresses issues of sensitivity, threats analysis, vulnerabilities analysis, risks analysis and safeguards applied in Amazon Corporation. The report and the assessment recommends use of cost-effective safeguards in order to mitigate threats as well as the associated exploitable vulnerabilities inAmazon Corporation. The Organization The Amazon Corporation's system environment is run as a distributed client and server environment consisting of a Microsoft Structured Query Language (SQL) database built with Powerful programming code. The Amazon Corporation contains SQL data files, Python application code, and executable Java and Java scripts. The SQL production data files, documented as consisting of SQL stored procedures and SQL tables, reside on a Cloud storage area network attached to a HP server running on Windows XP and MS SQL 2000 operating systems. The Python application code resides on a different IBM server running on KALI LINUX (NIST, 2014). The Amazon Corporation's executables reside on a fileserver running Windows 2000 and KALI LINUX or occasionally a local workstation is installed depending upon the loads and jobs Requirements. Their desktop computers are physically connected to a Wide Area Network (WAN). Some users revealed that they usually connect via secured dial-up and DSL connections using a powerful Citrix server. Normally, a user should connect to an active application server in their city that hosts the Amazon Corporation's application and to the shared database server located in Atlanta (NIST, 2014). Scope The scope of this risk assessment is to assess the system's use of resources and controls implemented and to report on plans set to eliminate and manage vulnerabilities exploitable by threats identified in this report whether internal and external to Amazon. If not eliminated but exploited, these vulnerabilities could possibly result in: · Unauthorized disclosure of data as well as unauthorized modification to the system, its data, or both and denial of service, denial of access to data, or both to authorized users. This Risk Assessment Report project for Amazon Corporation evaluates the confidentiality which means protection from unauthorized disclosure of system and data information, integrity which means protection from improper modification of information, and availability which ...

Formation
1  sur  32
Running head: Risk Assessment Repot (RAR) 1 Risk Assessment Report (RAR) 8 Risk Assessment Report (RAR) CYB 610: Cyberspace and Cybersecurity Foundations Me University of Maryland University College Purpose The purpose of this risk assessment is to evaluate the adequacy of the Amazon Corporation's security. This risk assessment report provides a structured but qualitative assessment of the operational environment for Amazon corporations. It addresses
issues of sensitivity, threats analysis, vulnerabilities analysis, risks analysis and safeguards applied in Amazon Corporation. The report and the assessment recommends use of cost-effective safeguards in order to mitigate threats as well as the associated exploitable vulnerabilities inAmazon Corporation. The Organization The Amazon Corporation's system environment is run as a distributed client and server environment consisting of a Microsoft Structured Query Language (SQL) database built with Powerful programming code. The Amazon Corporation contains SQL data files, Python application code, and executable Java and Java scripts. The SQL production data files, documented as consisting of SQL stored procedures and SQL tables, reside on a Cloud storage area network attached to a HP server running on Windows XP and MS SQL 2000 operating systems. The Python application code resides on a different IBM server running on KALI LINUX (NIST, 2014). The Amazon Corporation's executables reside on a fileserver running Windows 2000 and KALI LINUX or occasionally a local workstation is installed depending upon the loads and jobs Requirements. Their desktop computers are physically connected to a Wide Area Network (WAN). Some users revealed that they usually connect via secured dial-up and DSL connections using a powerful Citrix server. Normally, a user should connect to an active application server in their city that hosts the Amazon Corporation's application and to the shared database server located in Atlanta (NIST, 2014). Scope The scope of this risk assessment is to assess the system's use of resources and controls implemented and to report on plans set to eliminate and manage vulnerabilities exploitable by threats identified in this report whether internal and external to Amazon. If not eliminated but exploited, these vulnerabilities could possibly result in: · Unauthorized disclosure of data as well as unauthorized modification to the system, its data, or both and denial of
service, denial of access to data, or both to authorized users. This Risk Assessment Report project for Amazon Corporation evaluates the confidentiality which means protection from unauthorized disclosure of system and data information, integrity which means protection from improper modification of information, and availability which means loss of system access of the system. Intrusion detection tools used in the methodology are MBSA security analyzer in Cyber 610 Lab, OpenVAS security analyzer in Cyber 610 Lab, and Wireshark security analyzer. In conducting the analysis the screenshots taken using each of the tools has been looked at with a view to arriving at relevant conclusions. Recommended security safeguards are meant to allow management to make proper decisions about security- related initiatives in Amazon. Methodology Comment by Hank Williams: You are not really describing the methodology. You should be explaining how to determine risk levels along with the tables such as impact levels, likelihood levels and the risk matrix that shows how final risk for each vulnerability is determined. Then you list each vulnerability from the SAR and apply the methodology to it to determine the risk level. Once that is done, you can then determine or recommend how to handle each vulnerability (mitigate, transfer, accept, etc), This risk assessment methodology for and approach Amazon Corporation was conducted using the guidelines in NIST SP 800-37, Risk Management Guide for Information Technology Systems and OPM OIG Final Audit Report findings and recommendations (NIST, 2012). The assessment is very broad in its scope and evaluates Amazon Corporation's security vulnerabilities affecting confidentiality, integrity, and availability. The assessment also recommends a handful of appropriate security safeguards, allowing the management to make knowledge-based decisions on security-related initiative in Amazon Corporation. This initial risk assessment report provides an independent
review to help management at Amazon to determine what's the appropriate level of security required to support the development of a stringent system security plan. The accompanying review also provides the information required by the Chief Information Security Officer (CISO) and Designated Approving Authority (DAA) also known as the Authorizing Official (AO) to assist in to making informed decision about authorizing the system to operate (NIST, 2014). Intrusion detection tools are used in the methodology and includes the MBSA security analyzer, the OpenVAS security analyzer, and Wireshark security analyzer. Data The data collected using the MBSA and other tools reveals that the following internal routines were done by MBSA and other tools in the Labs 2 and 3 given together with the question. The MBSA security analyzer, the OpenVAS security analyzer converted the raw scan data and particularly succeeded in outputting the following vulnerabilities into risks based on the following methodology in Cyber 610 lab. The MBSA security analyzer and the OpenVAS security also had routines which communicated with green bone security assessment center especially to provide the automated recommendation as evident in the Labs 2 and 3. The green bone security assessment center particularly succeeded in doing the following as evident in output file. Management has the option of doing the following in the corporation: · Accepting the risks and chosen recommended controls or negotiating an alternative mitigation, while reserving the right to override the green bone security assessment center and incorporate the proposed recommended control into the Amazons Plan of Action and Milestones. Results Comment by Hank Williams: The following operational as well as managerial vulnerabilities were identified in Amazon while using the project methodology: inadequate adherence and advocacy for existing security controls. Inadequate adherence to management of changes to
the information systems infrastructure. Weak authentication protocols; inadequate adherence for life-cycle management of the information systems; inadequate adherence and advocacy for configuration management and change management plan; inadequate adherence for and advocacy for implementing a robust inventory of systems, for servers, for databases, and for network devices; inadequate adherence to and advocacy for mature vulnerability scanning tools. Thefollowing attacks were identified in Amazon while using the above project methodology. IP address spoofing/cache poisoning attacks; denial of service attacks (DoS) packet analysis/sniffing; session hijacking attacks and distributed denial of service attacks NIST SP 800-63 describes the classification of potential harm and impact as follow as well as OPM OIG Final Audit Report findings and recommendations (NIST, 2006): · Inconvenience, distress, or damage to standing or reputation; financial loss or agency liability and harm to agency programs or public interests; Potential impact of inconvenience, distress, or damage to standing or reputation: · Low - limited, short-term inconvenience, consisting of distress or embarrassment to any party within Amazon. · Moderate - serious short term or limited long-term inconvenience, consisting distress or damage to the standing or reputation of any party within Amazon. · High - severe or serious long-term inconvenience, consisting of distress or damage to the standing or reputation of any party within Amazon. Potential impact of financial loss: · Low - insignificant or inconsequential unrecoverable financial loss to any party consisting of an insignificant or inconsequential agency liability within Amazon. · Moderate - a serious unrecoverable financial loss to any party, consisting of a serious agency liability within Amazon. · High - severe or catastrophic unrecoverable financial loss to
any party; consisting of catastrophic agency liability within Amazon. Potential impact of harm to agency programs or public interests · Low - a limited adverse effect on organizational operations or assets, or public interests within Amazon. · Moderate - a serious adverse effect on organizational operations or assets, or public interests within Amazon. · High - a severe or catastrophic adverse effect on organizational operations or assets, or public interests within Amazon. Conclusion and Recommendation In the risk assessment, two issues came out that were striking and which are resolved below. An employee was terminated and his user ID was not removed from the system. This is dependency failure kind of vulnerability and risk pair and has an overall risk that is moderate. The recommended safeguard is to remove userID from the system upon notification of termination. Secondly, a VPN/Keyfob access does not meet certification and accreditation level stipulated in NIST SP 800-63. This is a kind of vulnerability that touches on inconvenience, standing and reputation and has an overall risk that is moderate. Also, to migrate all remote authentication roles to CDC or any other approved authority. This risk assessment report for the organization identifies risks of the operations especially in those domains which fails to meet the minimum requirements and for which appropriate countermeasures have yet to be implemented. The RAR also determines the probability of occurrence and issues countermeasures aimed at mitigating the identified risks in an endeavor to provide an appropriate level-of-protection and to satisfy all the minimum requirements imposed on the organization's policy document (NIST, 2010). The system security policy requirements are satisfied now with the exception of those specific areas identified in this report. The countermeasure recommended in this report adds to the
additional security controls needed to meet policies and to effectively manage the security risk to the organization and its operating environment. Finally, the Certification Official (CO) and the AO's must determine whether the totality of the protection mechanisms approximate a sufficient level of security, are adequate for the protection of this system and its resources and information. References 1. Bradley, T. (October 17, 2016). Critical Vulnerability in Apple Mac OS. Retrieved from https://www.lifewire.com/critical-vulnerability-in-apple-mac- os-x-2487643 2. National Institute of Standards and Technology (NIST). (2010). Guide for applying the risk management framework to federal information systems. NIST Special Publication 800-37 Revision 1.Retrieved from http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37- rev1-final.pdf 3. National Institute of Standards and Technology (NIST). (2012). Guide for Conducting Risk Assessments. NIST Special Publication 800-30 Revision 1. Retrieved from http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublicatio n800-30r1.pdf 4. National Institute of Standards and Technology (NIST). (2014). Assessing security and privacy controls in federal information systems and organizations. NIST Special Publication 800-53A Revision 4. Retrieved from http://nvlpubs.nist.gov/nistpubs/ SpecialPublications/NIST.SP.800-53Ar4.pdf 5. National Institute of Standards and Technology (NIST).
(2006). Electronic Authentication Guideline. NIST Special Publication 800-63 Revision 1.0.2. Retrieved from http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublicatio n800-63ver1.0.2.pdf 6. Rouse, M. (2017). Definition: buffer overflow. Retrieved from http://searchsecurity. techtarget.com/definition/buffer-overflow Running Head: Security Assessment Repot (SAR) 1 Risk Assessment Report (SAR) 9 Security Assessment Report (SAR) CYB 610: Cyberspace and Cybersecurity Foundations Me University of Maryland University College
OS Overview Comment by Hank Williams: Where is the description of the system being assessed? You have it in the RAR, it should be here as well. The two documents are each half of the whole so should compliment each other. Operating System (OS) This is an interface that sits between a user and hardware resources. Basically it is a software that has among others the following modules: file management modules, memory management module, process management modules, input and output and control module and peripheral device control modules. User’s Role in OS. In order to appreciate the role of users it must be recognized that an operating system provides users the services to execute the programs in a convenient way. So, the operating system interacts by users when the users play the roles of asking the operating system to do each of the following: · Role of direct program execution using threads and parallel programming routines. · Role of I/O operation request by writing to external devices and reading from the same. · Role of file system manipulation by creating directories. · Role of requesting communication by stopping some running processes or issuing interrupts and signals. · Role of requesting program verification by getting error detection and flagging of errors especially by parsers and debuggers and compilers which are part of the operating systems.
Kernel and OS Applications. OS Types. Batch operating system. This is a lack of direct interaction between the user and the computer so the user prepares his job on punch cards and gives it to computer operator much like calling customer care center nowadays. To increase processing batches of jobs are prepared meaning they have similar processing cycle and runt at one time. It was the initial generation of computing system. Time-sharing operating systems. Thissecond generation OS mostly in Unix/Linux allows many people located at various terminals to use a particular computer at the same time. Processors time is shared among multiple users simultaneously so the use of the term timesharing is allowed. In distributed computing environments, processors are connected and they use message passing systems to communicate and because of conditions such as global starvation and global deadlocks, additional layer of software called middleware is used and use of cohorts and elect ions algorithms justified. OS Vulnerabilities Windows Vulnerabilities A threat is a force that is adversarial that directly can cause harm to availability, integrity or confidentiality of a computer information system including all the subsystems. A threat agent is an element that provides delivery mechanisms for a threat while an entity that initiates the launch of a threat is referred to as a threat actor (NIST, 2010). Threat actors are normally made more active through forces of too much curiosity or huge monetary gain without work or a big political leverage or any form of social activism and lastly by revenge (NIST, 2014). Intrusion Methods. Stealth port scans is an advanced technique in intrusion when port scanning can’t be detected by auditing tools. Normally, by observing frequent attempts to connect, in which no data is available, detecting intrusion is easy. In stealth port scans, ports scan are done at a very low rate such that it is hard
for auditing tools to identify connections requests or malicious attempt to intrude into computer systems (NIST, 2010). Common gateway interface is an interface between client side computing and server side computing. Cyber criminals who are good programmers can break into computer systems even without the usual login capabilities. A server message block (SMB) works as an application layer protocol that functions by providing permissions to files, ports, processes and so on. A probe into SMB can check for shared entities that are available on the systems. If a cybercriminal uses an SMB probe, they can detect which files or ports are shared on the system. Linux Vulnerabilities A threat actor might purposefully launch a threat using an agent. A threat actor could be for instance be a trusted employee who commits an unintentional human error like a trusted employee who clicks on an email designed to be a phishing email then the email downloads a malware (NIST, 2010). Intrusion Methods. In OS fingerprinting attacks, the OS details of a target computer are looked after and the attacker goes for the same. Information looked after includes the vendor name, underlying OS, device type and such. In buffer overflow attacks, the inputs provided to a program overruns the buffer’s capacity and spills over to overwrite data stored at neighboring memory locations. The attacker usually sets the new values to point to a location where the exploit payload has been positioned (Rouse, 2017). This alters the execution path of the process and effectively transfers control to the attacker's malicious code. MAC Vulnerabilities · Hardware tampering: reported in MAC Tablets. Internal design procedures were not followed in manufacturing the apple devices. · Malicious software: discovered at the Payroll system using
MAC system by programmers in department of labor. · Phishing attacks: occurred on a hacked distributed National Data Services system and reported to company. Mobile Device Vulnerabilities · Date entry error: reported in windows 7 devices in which Microsoft mobile databases reported complaints about illegal login for Department of social welfare. · Denial of service: reported in Windows 8 phones. Internal routines overloaded in MIT’S Mobile Lab. · Earthquake: hurricanes and earthquakes in China and Japan destroy tablets at home and in office. · Espionage: Occurred on a hacked facial recognition system for FBI and reported to Android databases. · Floods: Reported in parts of South America and Central Asia flooding homes and destroying mobile devices. Risk Comment by Hank Williams: Since you are also developing a RAR, then Risk should be addressed there, not in the SAR. When the risks have all been identified and risk levels determined, recommendations or countermeasures are drawn to mitigate or eliminate the risks. The goal is to reduce the risk to an acceptable level as considered by management just before system accreditation can be granted. The countermeasures draw their arguments from the following authoritative sources: · The effectiveness of the recommended options like system compatibility. · Legislation and regulations in place. · The strength of organization policy. · Overall Operational impact. · Safety and reliability of the system in consideration. Accepting Risk According to this risk assessment, 11 vulnerabilities were regarded as having low risk ratings, 15 as having moderate risk rating and 7 as having a high risk rating. These observations lead us to comment that the overall level of risk for the organization as Moderate.
Transferring Risk Among the 33 total number of vulnerabilities identified, 49% are considered unacceptable because serious harm could result with the consequence of affecting the operations of the organization. Mitigating Risk Therefore, immediate mandatory countermeasures needs to be implemented so as to mitigate the risk brought about by these threats and resources should be made available so as to reduce the risk level to acceptable level. Eliminating Risk Of the identified vulnerabilities 51% are considered acceptable to the system because only minor problems may result from these risks and recommended countermeasures have also been provided to be implemented so as to reduce or eliminate risks. Vulnerability Assessment Methodology Comment by Hank Williams: The methodology should be early on in the paper, then followed by the actual vulnerabilities found. You didn’t really use the vuls found by MBSA and Open VAS. That would have been much more effective. Microsoft Baseline Security Analyzer (MBSA) and OpenVAS The MBSA security analyzer and the OpenVAS security also had routines which communicated with green bone security assessment center especially to provide the automated recommendation as evident in the Labs 2 and 3. The green bone security assessment center particularly succeeded in doing the following as evident in output file. Management has the option of doing the following in the corporation: · Accepting the risks and chosen recommended controls or negotiating an alternative mitigation, while reserving the right to override the green bone security assessment center and incorporate the proposed recommended control into the Amazons Plan of Action and Milestones. Conclusion This Risk Assessment Report (RAR) for the organization identifies risks of the operations especially in those domains
which fails to meet the minimum requirements and for which appropriate countermeasures have yet to be implemented. The RAR also determines the Probability of occurrence and issues countermeasures aimed at mitigating the identified risks in an endeavor to provide an appropriate level of protection and to satisfy all the minimum requirements imposed on the organization’s policy document. The system security policy requirements are satisfied now with the exception of those specific areas identified in this report. The countermeasure recommended in this report adds to the additional security controls needed to meet policies and to effectively manage the security risk to the organization and its operating environment. Finally, the Certification Official and the Authorizing Officials (AO) must determine whether the totality of the protection mechanisms approximate a sufficient level of security, are adequate for the protection of this system and its resources and information. The Risk Assessment Report supplies critical information and should be carefully reviewed by the AO prior to making a final accreditation decision.
References 1. Bradley, T. (October 17, 2016). Critical Vulnerability in Apple Mac OS. Retrieved from https://www.lifewire.com/critical-vulnerability-in-apple-mac- os-x-2487643 2. National Institute of Standards and Technology (NIST). (2010). Guide for applying the risk management framework to federal information systems. NIST Special Publication 800-37 Revision 1.Retrieved from http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37- rev1-final.pdf 3. National Institute of Standards and Technology (NIST). (2012). Guide for Conducting Risk Assessments. NIST Special Publication 800-30 Revision 1. Retrieved from http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublicatio n800-30r1.pdf 4. National Institute of Standards and Technology (NIST). (2014). Assessing security and privacy controls in federal information systems and organizations. NIST Special Publication 800-53A Revision 4. Retrieved from http://nvlpubs.nist.gov/nistpubs/ SpecialPublications/NIST.SP.800-53Ar4.pdf 5. National Institute of Standards and Technology (NIST). (2006). Electronic Authentication Guideline. NIST Special Publication 800-63 Revision 1.0.2. Retrieved from http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublicatio n800-63ver1.0.2.pdf 6. Rouse, M. (2017). Definition: buffer overflow. Retrieved from http://searchsecurity.
techtarget.com/definition/buffer-overflow Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology by Gary Stoneburner, Alice Goguen, and Alexis Feringa comprises public domain material from the National Institute of Standards and Technology, Technology Administration, U.S. Department of Commerce. http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
APPENDIX B: SAMPLE RISK ASSESSMENT REPORT OUTLINE EXECUTIVE SUMMARY I. Introduction • Purpose • Scope of this risk assessment Describe the system components, elements, users, field site locations (if any), and any other details about the system to be considered in the assessment. II. Risk Assessment Approach Briefly describe the approach used to conduct the risk assessment, such as— • The participants (e.g., risk assessment team members) • The technique used to gather information (e.g., the use of tools, questionnaires) • The development and description of risk scale (e.g., a 3 x 3, 4 x 4 , or 5 x 5 risk-level matrix). III. System Characterization Characterize the system, including hardware (server, router, switch), software (e.g., application, operating system, protocol), system interfaces (e.g., communication link), data, and users. Provide connectivity diagram or system input and output flowchart to delineate the scope of this risk assessment effort.
IV. Threat Statement Compile and list the potential threat-sources and associated threat actions applicable to the system assessed. V. Risk Assessment Results List the observations (vulnerability/threat pairs). Each observation must include— • Observation number and brief description of observation (e.g., Observation 1: User system passwords can be guessed or cracked) • A discussion of the threat-source and vulnerability pair • Identification of existing mitigating security controls • Likelihood discussion and evaluation (e.g., High, Medium, or Low likelihood) • Impact analysis discussion and evaluation (e.g., High, Medium, or Low impact) • Risk rating based on the risk-level matrix (e.g., High, Medium, or Low risk level) • Recommended controls or alternative options for reducing the risk. VI. Summary Total the number of observations. Summarize the observations, the associated risk levels, the SP 800-30 Page B-1
recommendations, and any comments in a table format to facilitate the implementation of recommended controls during the risk mitigation process. SP 800-30 Page B-2 (1) Risk (Vulnerability/ Threat Pair) (2) Risk Level (3) Recommended Controls (4) Action Priority (5) Selected Planned Controls
(6) Required Resources (7) Responsible Team/Persons (8) Start Date/ End Date • Disallow inbound telnet • Disallow “world” access to sensitive company files • Disabled the guest ID
APPENDIX C: SAMPLE SAFEGUARD IMPLEMENTATION PLAN SUMMARY TABLE (9) Maintenance Requirement/ Comments Unauthorized users can telnet to XYZ server and browse sensitive company files with the guest ID. High • Disallow inbound telnet • Disallow “world” access to sensitive company files • Disable the guest ID or assign difficult-to-guess password to the guest ID High 10 hours to reconfigure and test the
system John Doe, XYZ server system administrator; Jim Smith, company firewall administrator 9-1-2001 to 9-2-2001 • Perform periodic system security review and testing to ensure adequate security is provided for the XYZ server (1) The risks (vulnerability/threat pairs) are output from the risk assessment process (2) The associated risk level of each identified risk (vulnerability/threat pair) is the output from the risk assessment process (3) Recommended controls are output from the risk assessment process (4) Action priority is determined based on the risk levels and available resources (e.g., funds, people, technology) (5) Planned controls selected from the recommended controls for implementation (6) Resources required for implementing the selected planned
controls (7) List of team(s) and persons who will be responsible for implementing the new or enhanced controls (8) Start date and projected end date for implementing the new or enhanced controls (9) Maintenance requirement for the new or enhanced controls after implementation. SP 800-30 Page C-1 MBSA OpenVAS Wireshark
Nmap Project 3 Start Here Transcript The security posture of the information systems infrastructure of an organization should be regularly monitored and assessed (including software, hardware, firmware components, governance policies, and implementation of security controls). The monitoring and assessment of the infrastructure and its components, policies, and processes should also account for changes and new procurements that are sure to follow in order to stay in step with ever-changing information system technologies. The data breach at the Office of Personnel Management (OPM) is one of the largest in US government history. It provides a series of lessons learned for other organizations in industry and the public sector. Some critical security practices, such as lack of diligence to security controls and management of changes to the information systems infrastructure were cited as contributors to the massive data breach in the OPM Office of the Inspector General's (OIG) Final Audit Report, which can be found in open source searches. Some of the findings in the report include: weak authentication mechanisms; lack of a plan for life-cycle management of the information systems; lack of a configuration management and change management plan; lack of inventory of systems, servers, databases, and network devices; lack of mature vulnerability scanning tools; lack of valid authorizations for many systems, and lack of plans of action to remedy the findings of previous audits. The breach ultimately resulted in removal of OPM's top leadership. The impact of the breach on the livelihoods of millions of people is ongoing and may never be fully known. There is a critical need for security programs that can assess
vulnerabilities and provide mitigations. There are 10 steps that will lead you through this project. You should complete Project 3 during Weeks 2-5. After beginning with the workplace scenario, continue to Step 1: "Organizational Background." When you submit your project, your work will be evaluated using the competencies listed below. You can use the list below to self-check your work before submission. · 1.1: Organize document or presentation in a manner that promotes understanding and meets the requirements of the assignment. · 1.2: Develop coherent paragraphs or points to be internally unified and function as part of the whole document or presentation. · 1.3: Provide sufficient, correctly cited support that substantiates the writer’s ideas. · 1.4: Tailor communications to the audience. · 1.5: Use sentence structure appropriate to the task, message and audience. · 1.6: Follow conventions of Standard Written English. · 5.2 Enterprise Architecture: Knowledge of architectural methodologies used in the design and development of information systems, including the physical structure of a system's internal operations and interactions with other systems and knowledge of stan · 5.6: Technology Awareness: Explore and address cybersecurity concerns, promote awareness, best practice, and emerging technology · 7.3: Risk Management : Knowledge of methods and tools used for risk management and mitigation of risk · 8.1: Incident Detection: Demonstrate the abilities to detect, identify, and resolve host and network intrusion incidents. · 8.2: Incident Classification: Possess knowledge and skills to categorize, characterize, and prioritize an incident as well as to handle relevant digital evidence appropriately. Step 1: Organizational Background
Perform quick independent research on organizational structure in your industry sector. Describe the background of your organization, including the purpose, organizational structure, the network system description, and a diagram of the organization. Include LAN, WAN, and systems in diagram format, the intra-network, and WAN side networks, and the internet. Identify the boundaries that separate the inner networks from the outside networks. Take time to click on and read about the following computing platforms available for networks, then include a description of how these platforms are implemented in your organization: · common computing platforms · cloud computing · distributed computing · centralized computing · secure programming fundamentals This information can be fictitious, or modeled from existing organizations. Be sure to cite references. Step 2: Organizational Threats You just provided detailed background information on your organization. Next, you’ll describe threats to your organization’s system. Before you get started, select and explore the contents of the following link: insider threats (also known as internal threats). As you’re reading, take note of which insider threats are a risk to your organization. Now, differentiate between the external threats to the system and the insider threats. Identify where these threats can occur in the previously created diagrams. Define threat intelligence, and explain what kind of threat intelligence is known about the OPM breach. Relate the OPM threat intelligence to your organization. How likely is it that a similar attack will occur at your organization? Step 3: Scanning the Network Note: You will utilize the tools in Workspace for this step. If you need help outside the classroom to complete this project, you must register for CLAB 699 Cyber Computing Lab Assistance (go to the Discussions List for registration
information). Primary lab assistance is available from a team of lab assistants. Lab assistants are professionals and are trained to help you. Click here to access the Project 3 Workspace Exercise Instructions. Explore the tutorials and user guides to learn more about the tools you will use. You will perform this lab in Step 7. In order to validate the assets and devices on the organization's network, run scans using security and vulnerability assessment analysis tools such as MBSA, OpenVAS, Nmap, or NESSUS depending on the operating systems of your organization's networks. Live network traffic can also be sampled and scanned using Wireshark (we do this in step 7) on either the Linux or Windows systems. Wireshark allows you to inspect all OSI Layers of traffic information. Click the following link to read more about these network monitoring tools: Tools to Monitor and Analyze Network Activities. Provide the report as part of the SAR. Review the information captured in these two links message and protocols and Transmission Control Protocol/Internet Protocol (TCP/IP), and identify any security communication, message and protocols, or security data transport methods used such as (TCP/IP), SSL, and others. Make note of this, as it should be mentioned in your reports.Step 4: Identifying Security Issues You have a suite of security tools, techniques, and procedures that can be used to assess the security posture of your organization's network in a SAR. Now it's time to identify the security issues in your organization's networks. You have already used password cracking tools to crack weak and vulnerable passwords. Provide an analysis of the strength of passwords used by the employees in your organization. Are weak passwords a security issue for your organization?Step 5: Firewalls and Encryption Next, examine these resources on firewalls and auditing– RDBMS related to the use of the Relational Database Management System (i.e., the database system and data)
RDBMS. Also review these resources related to access control. Determine the role of firewalls and encryption, and auditing – RDBMS that could assist in protecting information and monitoring the confidentiality, integrity, and availability of the information in the information systems. Reflect any weaknesses found in the network and information system diagrams previously created, as well as in the developing SAR. Step 6: Threat Identification You know of the weaknesses in your organization's network and information system. Now you will determine various known threats to the organization's network architecture and IT assets. Get acquainted with the following types of threats and attack techniques. Which are a risk to your organization? · IP address spoofing/cache poisoning attacks · denial of service attacks (DoS) · packet analysis/sniffing · session hijacking attacks · distributed denial of service attacks In identifying the different threats, complete the following tasks: 1. Identify the potential hacking actors of these threat attacks on vulnerabilities in networks and information systems and the types of remediation and mitigation techniques available in your industry, and for your organization. 2. Identify the purpose and function of firewalls for organization network systems, and how they address the threats and vulnerabilities you have identified. 3. Also discuss the value of using access control, database transaction and firewall log files. 4. Identify the purpose and function of encryption, as it relates to files and databases and other information assets on the organization's networks. Include these in the SAR. Step 7: Network Analysis Note: You will utilize the tools in Workspace for this step. You will now investigate network traffic, and the security of the
network and information system infrastructure overall. Past network data has been logged and stored, as collected by a network analyzer tool such as Wireshark. Select the following link to enter Workspace and complete the lab activities related to network vulnerabilities. Perform a network analysis on the Wireshark files provided to you in Workspace and assess the network posture and any vulnerability or suspicious information you are able to obtain. Include this information in the SAR. Further analyze the packet capture for network performance, behavior, and any suspicious source and destination addresses on the networks. In the previously created Wireshark files, identify if any databases had been accessed. What are the IP addresses associated with that activity? Include this information in the SAR. Step 8: Suspicious Activity Note: You will utilize the tools in Workspace for this step. Hackers frequently scan the Internet for computers or networks to exploit. An effective firewall can prevent hackers from detecting the existence of networks. Hackers continue to scan ports, but if the hacker finds there is no response from the port and no connection, the hacker will move on. The firewall can block unwanted traffic and NMap can be used to self-scan to test the responsiveness of the organization's network to would- be hackers. Select the following link to enter Workspace and conduct the port scanning. Provide your findings in the SAR deliverable. Provide analyses of the scans and any recommendation for remediation, if needed. Identify any suspicious activity and formulate the steps in an incidence response that could have been, or should be, enacted. Include the responsible parties that would provide that incidence response and any follow-up activity. Include this in the SAR. Please note that some scanning tools are designed to be undetectable. While running the scan and observing network activity with Wireshark, attempt to determine the detection of the scan in progress. If you cannot identify the scan as it is occurring, indicate this in your
SAR.Step 9: Risk and Remediation What is the risk and what is the remediation? What is the security exploitation? You can use the OPM OIG Final Audit Report findings and recommendations as a possible source for methods to remediate vulnerabilities. Read this risk assessment resource to get familiar with the process, then prepare the risk assessment. Be sure to first list the threats, then the vulnerabilities, and then pairwise comparisons for each threat and vulnerability, and determine the likelihood of that event occurring, and the level of impact it would have on the organization. Use the OPM OIG Final Audit Report findings as a possible source for potential mitigations. Include this in the risk assessment report (RAR). Step 10: Creating the SAR and RAR Your research and Workspace exercise have led you to this moment: creating your SAR and RAR. Consider what you have learned in the previous steps as you create your reports for leadership. Prepare a Security Assessment Report (SAR) with the following sections: 1. Purpose 2. Organization 3. Scope 4. Methodology 5. Data 6. Results 7. Findings The final SAR does not have to stay within this framework, and can be designed to fulfill the goal of the security assessment. Prepare a Risk Assessment Report (RAR) with information on the threats, vulnerabilities, likelihood of exploitation of security weaknesses, impact assessments for exploitation of security weaknesses, remediation, and cost/benefit analyses of remediation. Devise a high-level plan of action with interim milestones (POAM), in a system methodology, to remedy your findings. Include this high-level plan in the RAR. Summarize
the results you obtained from the vulnerability assessment tools (i.e., MBSA and OpenVas) in your report. The deliverables for this project are as follows: 1. Security Assessment Report (SAR): This should be an 8-10 page double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables, or citations. 2. Risk Assessment Report (RAR): This report should be a 5-6 page double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables, or citations. 3. In a Word document, share your lab experience and provide screen prints to demonstrate that you performed the lab. Submit your deliverables to the assignment folder. Before you submit your assignment, review the competencies below, which your instructor will use to evaluate your work. A good practice would be to use each competency as a self-check to confirm you have incorporated all of them in your work. · 1.1: Organize document or presentation in a manner that promotes understanding and meets the requirements of the assignment. · 1.2: Develop coherent paragraphs or points to be internally unified and function as part of the whole document or presentation. · 1.3: Provide sufficient, correctly cited support that substantiates the writer’s ideas. · 1.4: Tailor communications to the audience. · 1.5: Use sentence structure appropriate to the task, message and audience. · 1.6: Follow conventions of Standard Written English. · 5.2 Enterprise Architecture: Knowledge of architectural methodologies used in the design and development of information systems, including the physical structure of a system's internal operations and interactions with other systems and knowledge of stan
· 5.6: Technology Awareness: Explore and address cybersecurity concerns, promote awareness, best practice, and emerging technology · 7.3: Risk Management : Knowledge of methods and tools used for risk management and mitigation of risk · 8.1: Incident Detection: Demonstrate the abilities to detect, identify, and resolve host and network intrusion incidents. · 8.2: Incident Classification: Possess knowledge and skills to categorize, characterize, and prioritize an incident as well as to handle relevant digital evidence appropriately. Basically, you are going to have a network diagram that shows the different levels of the network (backend, intranet, DMZ, frontend applications, etc) all the way through to the internet. Show how you are separating the logical portions (firewalls, switches, VLANs, etc).

Recommandé

ByteCode pentest report example
ByteCode pentest report exampleByteCode pentest report example
ByteCode pentest report example
Ihor Uzhvenko
 
(VAPT) Vulnerability Assessment And Penetration Testing
(VAPT) Vulnerability Assessment And Penetration Testing(VAPT) Vulnerability Assessment And Penetration Testing
(VAPT) Vulnerability Assessment And Penetration Testing
Bluechip Gulf IT Services
 
Phi 235 social media security users guide presentation
Phi 235 social media security users guide presentationPhi 235 social media security users guide presentation
Phi 235 social media security users guide presentation
Alan Holyoke
 
Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016
EnterpriseGRC Solutions, Inc.
 
Phases of Penetration Testing
Phases of Penetration TestingPhases of Penetration Testing
Phases of Penetration Testing
KiwiQA
 
Cst 630 Extraordinary Success/newtonhelp.com
Cst 630 Extraordinary Success/newtonhelp.comCst 630 Extraordinary Success/newtonhelp.com
Cst 630 Extraordinary Success/newtonhelp.com
amaranthbeg113
 
Cst 630 Education is Power/newtonhelp.com
Cst 630 Education is Power/newtonhelp.comCst 630 Education is Power/newtonhelp.com
Cst 630 Education is Power/newtonhelp.com
amaranthbeg73
 
Cst 630 Motivated Minds/newtonhelp.com
Cst 630 Motivated Minds/newtonhelp.comCst 630 Motivated Minds/newtonhelp.com
Cst 630 Motivated Minds/newtonhelp.com
amaranthbeg53
 

Recommandé

ByteCode pentest report example
ByteCode pentest report exampleByteCode pentest report example
ByteCode pentest report example
Ihor Uzhvenko
 
(VAPT) Vulnerability Assessment And Penetration Testing
(VAPT) Vulnerability Assessment And Penetration Testing(VAPT) Vulnerability Assessment And Penetration Testing
(VAPT) Vulnerability Assessment And Penetration Testing
Bluechip Gulf IT Services
 
Phi 235 social media security users guide presentation
Phi 235 social media security users guide presentationPhi 235 social media security users guide presentation
Phi 235 social media security users guide presentation
Alan Holyoke
 
Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016
EnterpriseGRC Solutions, Inc.
 
Phases of Penetration Testing
Phases of Penetration TestingPhases of Penetration Testing
Phases of Penetration Testing
KiwiQA
 
Cst 630 Extraordinary Success/newtonhelp.com
Cst 630 Extraordinary Success/newtonhelp.comCst 630 Extraordinary Success/newtonhelp.com
Cst 630 Extraordinary Success/newtonhelp.com
amaranthbeg113
 
Cst 630 Education is Power/newtonhelp.com
Cst 630 Education is Power/newtonhelp.comCst 630 Education is Power/newtonhelp.com
Cst 630 Education is Power/newtonhelp.com
amaranthbeg73
 
Cst 630 Motivated Minds/newtonhelp.com
Cst 630 Motivated Minds/newtonhelp.comCst 630 Motivated Minds/newtonhelp.com
Cst 630 Motivated Minds/newtonhelp.com
amaranthbeg53
 
Many companies and agencies conduct IT audits to test and assess the.docx
Many companies and agencies conduct IT audits to test and assess the.docxMany companies and agencies conduct IT audits to test and assess the.docx
Many companies and agencies conduct IT audits to test and assess the.docx
tienboileau
 
Getting the Most Value from VM and Compliance Programs white paper
Getting the Most Value from VM and Compliance Programs white paperGetting the Most Value from VM and Compliance Programs white paper
Getting the Most Value from VM and Compliance Programs white paper
Tawnia Beckwith
 
CYB610 Project Common computing platforms.docx
CYB610 Project Common computing platforms.docxCYB610 Project Common computing platforms.docx
CYB610 Project Common computing platforms.docx
write5
 
Software Vulnerabilities Risk Remediation
Software Vulnerabilities Risk RemediationSoftware Vulnerabilities Risk Remediation
Software Vulnerabilities Risk Remediation
Bruce Hafner
 
NGOKAN - ATTENTIONPROJECT 3 – ASSESSING INFORMATION SYSTEM VULNE.docx
NGOKAN - ATTENTIONPROJECT 3 – ASSESSING INFORMATION SYSTEM VULNE.docxNGOKAN - ATTENTIONPROJECT 3 – ASSESSING INFORMATION SYSTEM VULNE.docx
NGOKAN - ATTENTIONPROJECT 3 – ASSESSING INFORMATION SYSTEM VULNE.docx
taitcandie
 
Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30
Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
College of Administrative and Financial SciencesAssignment 1.docx
College of Administrative and Financial SciencesAssignment 1.docxCollege of Administrative and Financial SciencesAssignment 1.docx
College of Administrative and Financial SciencesAssignment 1.docx
mccormicknadine86
 
Auditing-Cybersecurity in the enterprise
Auditing-Cybersecurity in the enterpriseAuditing-Cybersecurity in the enterprise
Auditing-Cybersecurity in the enterprise
Thilak Pathirage -Senior IT Gov and Risk Consultant
 
Sample Risk Assessment Report- QuantumBanking.pdf
Sample Risk Assessment Report- QuantumBanking.pdfSample Risk Assessment Report- QuantumBanking.pdf
Sample Risk Assessment Report- QuantumBanking.pdf
SathishKumar960827
 
Sap Security Assessment V3 English
Sap Security Assessment V3 EnglishSap Security Assessment V3 English
Sap Security Assessment V3 English
guest5bd7a1
 
RAMNSS_2016_service_porfolio
RAMNSS_2016_service_porfolioRAMNSS_2016_service_porfolio
RAMNSS_2016_service_porfolio
Rhys A. Mossom
 
Running head SECURITY ANALYSIS REPORT1SECURITY ANALYSIS REPO.docx
Running head SECURITY ANALYSIS REPORT1SECURITY ANALYSIS REPO.docxRunning head SECURITY ANALYSIS REPORT1SECURITY ANALYSIS REPO.docx
Running head SECURITY ANALYSIS REPORT1SECURITY ANALYSIS REPO.docx
jeanettehully
 
NSA and PT
NSA and PTNSA and PT
NSA and PT
Rahmat Suhatman
 
US AI Safety Institute and Trustworthy AI Details.
US AI Safety Institute and Trustworthy AI Details.US AI Safety Institute and Trustworthy AI Details.
US AI Safety Institute and Trustworthy AI Details.
Bob Marcus
 
Defending The Castle Rwsp
Defending The Castle RwspDefending The Castle Rwsp
Defending The Castle Rwsp
jmoquendo
 
Backtrack manual Part1
Backtrack manual Part1Backtrack manual Part1
Backtrack manual Part1
Nutan Kumar Panda
 
A Study on Vulnerability Management
A Study on Vulnerability ManagementA Study on Vulnerability Management
A Study on Vulnerability Management
IRJET Journal
 
JavaOne2013: Secure Engineering Practices for Java
JavaOne2013: Secure Engineering Practices for JavaJavaOne2013: Secure Engineering Practices for Java
JavaOne2013: Secure Engineering Practices for Java
Chris Bailey
 
The Security and Compliance Plan for Maxistar Medical Supplies Company
The Security and Compliance Plan for Maxistar Medical Supplies Company The Security and Compliance Plan for Maxistar Medical Supplies Company
The Security and Compliance Plan for Maxistar Medical Supplies Company
Abdulrahman Alamri
 
Managing Compliance
Managing ComplianceManaging Compliance
Managing Compliance
SecPod Technologies
 
The material for this moduleweek has led us from Europe, through fi.docx
The material for this moduleweek has led us from Europe, through fi.docxThe material for this moduleweek has led us from Europe, through fi.docx
The material for this moduleweek has led us from Europe, through fi.docx
SUBHI7
 
The media informs many viewers of deviance and crime, victims of cri.docx
The media informs many viewers of deviance and crime, victims of cri.docxThe media informs many viewers of deviance and crime, victims of cri.docx
The media informs many viewers of deviance and crime, victims of cri.docx
SUBHI7
 

Contenu connexe

Similaire à Running head Risk Assessment Repot (RAR) .docx

Many companies and agencies conduct IT audits to test and assess the.docx
Many companies and agencies conduct IT audits to test and assess the.docxMany companies and agencies conduct IT audits to test and assess the.docx
Many companies and agencies conduct IT audits to test and assess the.docx
tienboileau
 
Getting the Most Value from VM and Compliance Programs white paper
Getting the Most Value from VM and Compliance Programs white paperGetting the Most Value from VM and Compliance Programs white paper
Getting the Most Value from VM and Compliance Programs white paper
Tawnia Beckwith
 
CYB610 Project Common computing platforms.docx
CYB610 Project Common computing platforms.docxCYB610 Project Common computing platforms.docx
CYB610 Project Common computing platforms.docx
write5
 
Software Vulnerabilities Risk Remediation
Software Vulnerabilities Risk RemediationSoftware Vulnerabilities Risk Remediation
Software Vulnerabilities Risk Remediation
Bruce Hafner
 
NGOKAN - ATTENTIONPROJECT 3 – ASSESSING INFORMATION SYSTEM VULNE.docx
NGOKAN - ATTENTIONPROJECT 3 – ASSESSING INFORMATION SYSTEM VULNE.docxNGOKAN - ATTENTIONPROJECT 3 – ASSESSING INFORMATION SYSTEM VULNE.docx
NGOKAN - ATTENTIONPROJECT 3 – ASSESSING INFORMATION SYSTEM VULNE.docx
taitcandie
 
College of Administrative and Financial SciencesAssignment 1.docx
College of Administrative and Financial SciencesAssignment 1.docxCollege of Administrative and Financial SciencesAssignment 1.docx
College of Administrative and Financial SciencesAssignment 1.docx
mccormicknadine86
 
RAMNSS_2016_service_porfolio
RAMNSS_2016_service_porfolioRAMNSS_2016_service_porfolio
RAMNSS_2016_service_porfolio
Rhys A. Mossom
 
Running head SECURITY ANALYSIS REPORT1SECURITY ANALYSIS REPO.docx
Running head SECURITY ANALYSIS REPORT1SECURITY ANALYSIS REPO.docxRunning head SECURITY ANALYSIS REPORT1SECURITY ANALYSIS REPO.docx
Running head SECURITY ANALYSIS REPORT1SECURITY ANALYSIS REPO.docx
jeanettehully
 
Defending The Castle Rwsp
Defending The Castle RwspDefending The Castle Rwsp
Defending The Castle Rwsp
jmoquendo
 

Similaire à Running head Risk Assessment Repot (RAR) .docx (20)

Many companies and agencies conduct IT audits to test and assess the.docx
Many companies and agencies conduct IT audits to test and assess the.docxMany companies and agencies conduct IT audits to test and assess the.docx
Many companies and agencies conduct IT audits to test and assess the.docx
 
Getting the Most Value from VM and Compliance Programs white paper
Getting the Most Value from VM and Compliance Programs white paperGetting the Most Value from VM and Compliance Programs white paper
Getting the Most Value from VM and Compliance Programs white paper
 
CYB610 Project Common computing platforms.docx
CYB610 Project Common computing platforms.docxCYB610 Project Common computing platforms.docx
CYB610 Project Common computing platforms.docx
 
Software Vulnerabilities Risk Remediation
Software Vulnerabilities Risk RemediationSoftware Vulnerabilities Risk Remediation
Software Vulnerabilities Risk Remediation
 
NGOKAN - ATTENTIONPROJECT 3 – ASSESSING INFORMATION SYSTEM VULNE.docx
NGOKAN - ATTENTIONPROJECT 3 – ASSESSING INFORMATION SYSTEM VULNE.docxNGOKAN - ATTENTIONPROJECT 3 – ASSESSING INFORMATION SYSTEM VULNE.docx
NGOKAN - ATTENTIONPROJECT 3 – ASSESSING INFORMATION SYSTEM VULNE.docx
 
Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30
 
College of Administrative and Financial SciencesAssignment 1.docx
College of Administrative and Financial SciencesAssignment 1.docxCollege of Administrative and Financial SciencesAssignment 1.docx
College of Administrative and Financial SciencesAssignment 1.docx
 
Auditing-Cybersecurity in the enterprise
Auditing-Cybersecurity in the enterpriseAuditing-Cybersecurity in the enterprise
Auditing-Cybersecurity in the enterprise
 
Sample Risk Assessment Report- QuantumBanking.pdf
Sample Risk Assessment Report- QuantumBanking.pdfSample Risk Assessment Report- QuantumBanking.pdf
Sample Risk Assessment Report- QuantumBanking.pdf
 
Sap Security Assessment V3 English
Sap Security Assessment V3 EnglishSap Security Assessment V3 English
Sap Security Assessment V3 English
 
RAMNSS_2016_service_porfolio
RAMNSS_2016_service_porfolioRAMNSS_2016_service_porfolio
RAMNSS_2016_service_porfolio
 
Running head SECURITY ANALYSIS REPORT1SECURITY ANALYSIS REPO.docx
Running head SECURITY ANALYSIS REPORT1SECURITY ANALYSIS REPO.docxRunning head SECURITY ANALYSIS REPORT1SECURITY ANALYSIS REPO.docx
Running head SECURITY ANALYSIS REPORT1SECURITY ANALYSIS REPO.docx
 
NSA and PT
NSA and PTNSA and PT
NSA and PT
 
US AI Safety Institute and Trustworthy AI Details.
US AI Safety Institute and Trustworthy AI Details.US AI Safety Institute and Trustworthy AI Details.
US AI Safety Institute and Trustworthy AI Details.
 
Defending The Castle Rwsp
Defending The Castle RwspDefending The Castle Rwsp
Defending The Castle Rwsp
 
Backtrack manual Part1
Backtrack manual Part1Backtrack manual Part1
Backtrack manual Part1
 
A Study on Vulnerability Management
A Study on Vulnerability ManagementA Study on Vulnerability Management
A Study on Vulnerability Management
 
JavaOne2013: Secure Engineering Practices for Java
JavaOne2013: Secure Engineering Practices for JavaJavaOne2013: Secure Engineering Practices for Java
JavaOne2013: Secure Engineering Practices for Java
 
The Security and Compliance Plan for Maxistar Medical Supplies Company
The Security and Compliance Plan for Maxistar Medical Supplies Company The Security and Compliance Plan for Maxistar Medical Supplies Company
The Security and Compliance Plan for Maxistar Medical Supplies Company
 
Managing Compliance
Managing ComplianceManaging Compliance
Managing Compliance
 

Plus de SUBHI7

The media informs many viewers of deviance and crime, victims of cri.docx
The media informs many viewers of deviance and crime, victims of cri.docxThe media informs many viewers of deviance and crime, victims of cri.docx
The media informs many viewers of deviance and crime, victims of cri.docx
SUBHI7
 
The midterm is already late.  I would like to submit ASAP.Illust.docx
The midterm is already late.  I would like to submit ASAP.Illust.docxThe midterm is already late.  I would like to submit ASAP.Illust.docx
The midterm is already late.  I would like to submit ASAP.Illust.docx
SUBHI7
 
The major assignment for this week is to compose a 900-word essay co.docx
The major assignment for this week is to compose a 900-word essay co.docxThe major assignment for this week is to compose a 900-word essay co.docx
The major assignment for this week is to compose a 900-word essay co.docx
SUBHI7
 
The Mini Project Task Instructions Read about validity and reliab.docx
The Mini Project Task Instructions Read about validity and reliab.docxThe Mini Project Task Instructions Read about validity and reliab.docx
The Mini Project Task Instructions Read about validity and reliab.docx
SUBHI7
 
The menu structure for Holiday Travel Vehicles existing character-b.docx
The menu structure for Holiday Travel Vehicles existing character-b.docxThe menu structure for Holiday Travel Vehicles existing character-b.docx
The menu structure for Holiday Travel Vehicles existing character-b.docx
SUBHI7
 
The marks are the actual grades which I got in the exam. So, if .docx
The marks are the actual grades which I got in the exam. So, if .docxThe marks are the actual grades which I got in the exam. So, if .docx
The marks are the actual grades which I got in the exam. So, if .docx
SUBHI7
 
the main discussion will be Schwarzenegger and fitness,talk about ho.docx
the main discussion will be Schwarzenegger and fitness,talk about ho.docxthe main discussion will be Schwarzenegger and fitness,talk about ho.docx
the main discussion will be Schwarzenegger and fitness,talk about ho.docx
SUBHI7
 
The Main Post needs to be 3-5 Paragraphs At a minimum, each stud.docx
The Main Post needs to be 3-5 Paragraphs At a minimum, each stud.docxThe Main Post needs to be 3-5 Paragraphs At a minimum, each stud.docx
The Main Post needs to be 3-5 Paragraphs At a minimum, each stud.docx
SUBHI7
 
The main characters in Tay Garnetts film The Postman Always Rings.docx
The main characters in Tay Garnetts film The Postman Always Rings.docxThe main characters in Tay Garnetts film The Postman Always Rings.docx
The main characters in Tay Garnetts film The Postman Always Rings.docx
SUBHI7
 
The mafia is a well organized enterprise that deals with drugs, pros.docx
The mafia is a well organized enterprise that deals with drugs, pros.docxThe mafia is a well organized enterprise that deals with drugs, pros.docx
The mafia is a well organized enterprise that deals with drugs, pros.docx
SUBHI7
 
The minimum length for this assignment is 1,500 words. Be sure to ch.docx
The minimum length for this assignment is 1,500 words. Be sure to ch.docxThe minimum length for this assignment is 1,500 words. Be sure to ch.docx
The minimum length for this assignment is 1,500 words. Be sure to ch.docx
SUBHI7
 

Plus de SUBHI7 (20)

The material for this moduleweek has led us from Europe, through fi.docx
The material for this moduleweek has led us from Europe, through fi.docxThe material for this moduleweek has led us from Europe, through fi.docx
The material for this moduleweek has led us from Europe, through fi.docx
 
The media informs many viewers of deviance and crime, victims of cri.docx
The media informs many viewers of deviance and crime, victims of cri.docxThe media informs many viewers of deviance and crime, victims of cri.docx
The media informs many viewers of deviance and crime, victims of cri.docx
 
The midterm is already late.  I would like to submit ASAP.Illust.docx
The midterm is already late.  I would like to submit ASAP.Illust.docxThe midterm is already late.  I would like to submit ASAP.Illust.docx
The midterm is already late.  I would like to submit ASAP.Illust.docx
 
The major assignment for this week is to compose a 900-word essay co.docx
The major assignment for this week is to compose a 900-word essay co.docxThe major assignment for this week is to compose a 900-word essay co.docx
The major assignment for this week is to compose a 900-word essay co.docx
 
The minimum length for this assignment is 1,200 wordsMust use APA .docx
The minimum length for this assignment is 1,200 wordsMust use APA .docxThe minimum length for this assignment is 1,200 wordsMust use APA .docx
The minimum length for this assignment is 1,200 wordsMust use APA .docx
 
The Military•Select three characteristics of the early America.docx
The Military•Select three characteristics of the early America.docxThe Military•Select three characteristics of the early America.docx
The Military•Select three characteristics of the early America.docx
 
The minimum length for this assignment is 2,000 wordsDiscoveries.docx
The minimum length for this assignment is 2,000 wordsDiscoveries.docxThe minimum length for this assignment is 2,000 wordsDiscoveries.docx
The minimum length for this assignment is 2,000 wordsDiscoveries.docx
 
The Mini Project Task Instructions Read about validity and reliab.docx
The Mini Project Task Instructions Read about validity and reliab.docxThe Mini Project Task Instructions Read about validity and reliab.docx
The Mini Project Task Instructions Read about validity and reliab.docx
 
The Mexican ceramics folk-art firm signs a contract for the Mexican .docx
The Mexican ceramics folk-art firm signs a contract for the Mexican .docxThe Mexican ceramics folk-art firm signs a contract for the Mexican .docx
The Mexican ceramics folk-art firm signs a contract for the Mexican .docx
 
The maximum size of the Layer 2 frame has become a source of ineffic.docx
The maximum size of the Layer 2 frame has become a source of ineffic.docxThe maximum size of the Layer 2 frame has become a source of ineffic.docx
The maximum size of the Layer 2 frame has become a source of ineffic.docx
 
The menu structure for Holiday Travel Vehicles existing character-b.docx
The menu structure for Holiday Travel Vehicles existing character-b.docxThe menu structure for Holiday Travel Vehicles existing character-b.docx
The menu structure for Holiday Travel Vehicles existing character-b.docx
 
The marks are the actual grades which I got in the exam. So, if .docx
The marks are the actual grades which I got in the exam. So, if .docxThe marks are the actual grades which I got in the exam. So, if .docx
The marks are the actual grades which I got in the exam. So, if .docx
 
the main discussion will be Schwarzenegger and fitness,talk about ho.docx
the main discussion will be Schwarzenegger and fitness,talk about ho.docxthe main discussion will be Schwarzenegger and fitness,talk about ho.docx
the main discussion will be Schwarzenegger and fitness,talk about ho.docx
 
The minimum length for this assignment is 1,500 words. Cellular .docx
The minimum length for this assignment is 1,500 words. Cellular .docxThe minimum length for this assignment is 1,500 words. Cellular .docx
The minimum length for this assignment is 1,500 words. Cellular .docx
 
The Main Post needs to be 3-5 Paragraphs At a minimum, each stud.docx
The Main Post needs to be 3-5 Paragraphs At a minimum, each stud.docxThe Main Post needs to be 3-5 Paragraphs At a minimum, each stud.docx
The Main Post needs to be 3-5 Paragraphs At a minimum, each stud.docx
 
The main characters in Tay Garnetts film The Postman Always Rings.docx
The main characters in Tay Garnetts film The Postman Always Rings.docxThe main characters in Tay Garnetts film The Postman Always Rings.docx
The main characters in Tay Garnetts film The Postman Always Rings.docx
 
The minimum length for this assignment is 2,000 words and MUST inclu.docx
The minimum length for this assignment is 2,000 words and MUST inclu.docxThe minimum length for this assignment is 2,000 words and MUST inclu.docx
The minimum length for this assignment is 2,000 words and MUST inclu.docx
 
The mafia is a well organized enterprise that deals with drugs, pros.docx
The mafia is a well organized enterprise that deals with drugs, pros.docxThe mafia is a well organized enterprise that deals with drugs, pros.docx
The mafia is a well organized enterprise that deals with drugs, pros.docx
 
The minimum length for this assignment is 1,500 words. Be sure to ch.docx
The minimum length for this assignment is 1,500 words. Be sure to ch.docxThe minimum length for this assignment is 1,500 words. Be sure to ch.docx
The minimum length for this assignment is 1,500 words. Be sure to ch.docx
 
The madrigal was a very popular musical genre in the Renaissance. Ex.docx
The madrigal was a very popular musical genre in the Renaissance. Ex.docxThe madrigal was a very popular musical genre in the Renaissance. Ex.docx
The madrigal was a very popular musical genre in the Renaissance. Ex.docx
 

Dernier

The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
heathfieldcps1
 

Dernier (20)

COMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptxCOMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
 
How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17
 
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptxOn_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentation
 
FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024
 
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - English
 
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxHMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
 
Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the Classroom
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdfUnit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
 
Interdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptxInterdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptx
 
How to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxHow to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptx
 
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptxExploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdf
 

Running head Risk Assessment Repot (RAR) .docx

  • 1. Running head: Risk Assessment Repot (RAR) 1 Risk Assessment Report (RAR) 8 Risk Assessment Report (RAR) CYB 610: Cyberspace and Cybersecurity Foundations Me University of Maryland University College Purpose The purpose of this risk assessment is to evaluate the adequacy of the Amazon Corporation's security. This risk assessment report provides a structured but qualitative assessment of the operational environment for Amazon corporations. It addresses
  • 2. issues of sensitivity, threats analysis, vulnerabilities analysis, risks analysis and safeguards applied in Amazon Corporation. The report and the assessment recommends use of cost-effective safeguards in order to mitigate threats as well as the associated exploitable vulnerabilities inAmazon Corporation. The Organization The Amazon Corporation's system environment is run as a distributed client and server environment consisting of a Microsoft Structured Query Language (SQL) database built with Powerful programming code. The Amazon Corporation contains SQL data files, Python application code, and executable Java and Java scripts. The SQL production data files, documented as consisting of SQL stored procedures and SQL tables, reside on a Cloud storage area network attached to a HP server running on Windows XP and MS SQL 2000 operating systems. The Python application code resides on a different IBM server running on KALI LINUX (NIST, 2014). The Amazon Corporation's executables reside on a fileserver running Windows 2000 and KALI LINUX or occasionally a local workstation is installed depending upon the loads and jobs Requirements. Their desktop computers are physically connected to a Wide Area Network (WAN). Some users revealed that they usually connect via secured dial-up and DSL connections using a powerful Citrix server. Normally, a user should connect to an active application server in their city that hosts the Amazon Corporation's application and to the shared database server located in Atlanta (NIST, 2014). Scope The scope of this risk assessment is to assess the system's use of resources and controls implemented and to report on plans set to eliminate and manage vulnerabilities exploitable by threats identified in this report whether internal and external to Amazon. If not eliminated but exploited, these vulnerabilities could possibly result in: · Unauthorized disclosure of data as well as unauthorized modification to the system, its data, or both and denial of
  • 3. service, denial of access to data, or both to authorized users. This Risk Assessment Report project for Amazon Corporation evaluates the confidentiality which means protection from unauthorized disclosure of system and data information, integrity which means protection from improper modification of information, and availability which means loss of system access of the system. Intrusion detection tools used in the methodology are MBSA security analyzer in Cyber 610 Lab, OpenVAS security analyzer in Cyber 610 Lab, and Wireshark security analyzer. In conducting the analysis the screenshots taken using each of the tools has been looked at with a view to arriving at relevant conclusions. Recommended security safeguards are meant to allow management to make proper decisions about security- related initiatives in Amazon. Methodology Comment by Hank Williams: You are not really describing the methodology. You should be explaining how to determine risk levels along with the tables such as impact levels, likelihood levels and the risk matrix that shows how final risk for each vulnerability is determined. Then you list each vulnerability from the SAR and apply the methodology to it to determine the risk level. Once that is done, you can then determine or recommend how to handle each vulnerability (mitigate, transfer, accept, etc), This risk assessment methodology for and approach Amazon Corporation was conducted using the guidelines in NIST SP 800-37, Risk Management Guide for Information Technology Systems and OPM OIG Final Audit Report findings and recommendations (NIST, 2012). The assessment is very broad in its scope and evaluates Amazon Corporation's security vulnerabilities affecting confidentiality, integrity, and availability. The assessment also recommends a handful of appropriate security safeguards, allowing the management to make knowledge-based decisions on security-related initiative in Amazon Corporation. This initial risk assessment report provides an independent
  • 4. review to help management at Amazon to determine what's the appropriate level of security required to support the development of a stringent system security plan. The accompanying review also provides the information required by the Chief Information Security Officer (CISO) and Designated Approving Authority (DAA) also known as the Authorizing Official (AO) to assist in to making informed decision about authorizing the system to operate (NIST, 2014). Intrusion detection tools are used in the methodology and includes the MBSA security analyzer, the OpenVAS security analyzer, and Wireshark security analyzer. Data The data collected using the MBSA and other tools reveals that the following internal routines were done by MBSA and other tools in the Labs 2 and 3 given together with the question. The MBSA security analyzer, the OpenVAS security analyzer converted the raw scan data and particularly succeeded in outputting the following vulnerabilities into risks based on the following methodology in Cyber 610 lab. The MBSA security analyzer and the OpenVAS security also had routines which communicated with green bone security assessment center especially to provide the automated recommendation as evident in the Labs 2 and 3. The green bone security assessment center particularly succeeded in doing the following as evident in output file. Management has the option of doing the following in the corporation: · Accepting the risks and chosen recommended controls or negotiating an alternative mitigation, while reserving the right to override the green bone security assessment center and incorporate the proposed recommended control into the Amazons Plan of Action and Milestones. Results Comment by Hank Williams: The following operational as well as managerial vulnerabilities were identified in Amazon while using the project methodology: inadequate adherence and advocacy for existing security controls. Inadequate adherence to management of changes to
  • 5. the information systems infrastructure. Weak authentication protocols; inadequate adherence for life-cycle management of the information systems; inadequate adherence and advocacy for configuration management and change management plan; inadequate adherence for and advocacy for implementing a robust inventory of systems, for servers, for databases, and for network devices; inadequate adherence to and advocacy for mature vulnerability scanning tools. Thefollowing attacks were identified in Amazon while using the above project methodology. IP address spoofing/cache poisoning attacks; denial of service attacks (DoS) packet analysis/sniffing; session hijacking attacks and distributed denial of service attacks NIST SP 800-63 describes the classification of potential harm and impact as follow as well as OPM OIG Final Audit Report findings and recommendations (NIST, 2006): · Inconvenience, distress, or damage to standing or reputation; financial loss or agency liability and harm to agency programs or public interests; Potential impact of inconvenience, distress, or damage to standing or reputation: · Low - limited, short-term inconvenience, consisting of distress or embarrassment to any party within Amazon. · Moderate - serious short term or limited long-term inconvenience, consisting distress or damage to the standing or reputation of any party within Amazon. · High - severe or serious long-term inconvenience, consisting of distress or damage to the standing or reputation of any party within Amazon. Potential impact of financial loss: · Low - insignificant or inconsequential unrecoverable financial loss to any party consisting of an insignificant or inconsequential agency liability within Amazon. · Moderate - a serious unrecoverable financial loss to any party, consisting of a serious agency liability within Amazon. · High - severe or catastrophic unrecoverable financial loss to
  • 6. any party; consisting of catastrophic agency liability within Amazon. Potential impact of harm to agency programs or public interests · Low - a limited adverse effect on organizational operations or assets, or public interests within Amazon. · Moderate - a serious adverse effect on organizational operations or assets, or public interests within Amazon. · High - a severe or catastrophic adverse effect on organizational operations or assets, or public interests within Amazon. Conclusion and Recommendation In the risk assessment, two issues came out that were striking and which are resolved below. An employee was terminated and his user ID was not removed from the system. This is dependency failure kind of vulnerability and risk pair and has an overall risk that is moderate. The recommended safeguard is to remove userID from the system upon notification of termination. Secondly, a VPN/Keyfob access does not meet certification and accreditation level stipulated in NIST SP 800-63. This is a kind of vulnerability that touches on inconvenience, standing and reputation and has an overall risk that is moderate. Also, to migrate all remote authentication roles to CDC or any other approved authority. This risk assessment report for the organization identifies risks of the operations especially in those domains which fails to meet the minimum requirements and for which appropriate countermeasures have yet to be implemented. The RAR also determines the probability of occurrence and issues countermeasures aimed at mitigating the identified risks in an endeavor to provide an appropriate level-of-protection and to satisfy all the minimum requirements imposed on the organization's policy document (NIST, 2010). The system security policy requirements are satisfied now with the exception of those specific areas identified in this report. The countermeasure recommended in this report adds to the
  • 7. additional security controls needed to meet policies and to effectively manage the security risk to the organization and its operating environment. Finally, the Certification Official (CO) and the AO's must determine whether the totality of the protection mechanisms approximate a sufficient level of security, are adequate for the protection of this system and its resources and information. References 1. Bradley, T. (October 17, 2016). Critical Vulnerability in Apple Mac OS. Retrieved from https://www.lifewire.com/critical-vulnerability-in-apple-mac- os-x-2487643 2. National Institute of Standards and Technology (NIST). (2010). Guide for applying the risk management framework to federal information systems. NIST Special Publication 800-37 Revision 1.Retrieved from http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37- rev1-final.pdf 3. National Institute of Standards and Technology (NIST). (2012). Guide for Conducting Risk Assessments. NIST Special Publication 800-30 Revision 1. Retrieved from http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublicatio n800-30r1.pdf 4. National Institute of Standards and Technology (NIST). (2014). Assessing security and privacy controls in federal information systems and organizations. NIST Special Publication 800-53A Revision 4. Retrieved from http://nvlpubs.nist.gov/nistpubs/ SpecialPublications/NIST.SP.800-53Ar4.pdf 5. National Institute of Standards and Technology (NIST).
  • 8. (2006). Electronic Authentication Guideline. NIST Special Publication 800-63 Revision 1.0.2. Retrieved from http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublicatio n800-63ver1.0.2.pdf 6. Rouse, M. (2017). Definition: buffer overflow. Retrieved from http://searchsecurity. techtarget.com/definition/buffer-overflow Running Head: Security Assessment Repot (SAR) 1 Risk Assessment Report (SAR) 9 Security Assessment Report (SAR) CYB 610: Cyberspace and Cybersecurity Foundations Me University of Maryland University College
  • 9. OS Overview Comment by Hank Williams: Where is the description of the system being assessed? You have it in the RAR, it should be here as well. The two documents are each half of the whole so should compliment each other. Operating System (OS) This is an interface that sits between a user and hardware resources. Basically it is a software that has among others the following modules: file management modules, memory management module, process management modules, input and output and control module and peripheral device control modules. User’s Role in OS. In order to appreciate the role of users it must be recognized that an operating system provides users the services to execute the programs in a convenient way. So, the operating system interacts by users when the users play the roles of asking the operating system to do each of the following: · Role of direct program execution using threads and parallel programming routines. · Role of I/O operation request by writing to external devices and reading from the same. · Role of file system manipulation by creating directories. · Role of requesting communication by stopping some running processes or issuing interrupts and signals. · Role of requesting program verification by getting error detection and flagging of errors especially by parsers and debuggers and compilers which are part of the operating systems.
  • 10. Kernel and OS Applications. OS Types. Batch operating system. This is a lack of direct interaction between the user and the computer so the user prepares his job on punch cards and gives it to computer operator much like calling customer care center nowadays. To increase processing batches of jobs are prepared meaning they have similar processing cycle and runt at one time. It was the initial generation of computing system. Time-sharing operating systems. Thissecond generation OS mostly in Unix/Linux allows many people located at various terminals to use a particular computer at the same time. Processors time is shared among multiple users simultaneously so the use of the term timesharing is allowed. In distributed computing environments, processors are connected and they use message passing systems to communicate and because of conditions such as global starvation and global deadlocks, additional layer of software called middleware is used and use of cohorts and elect ions algorithms justified. OS Vulnerabilities Windows Vulnerabilities A threat is a force that is adversarial that directly can cause harm to availability, integrity or confidentiality of a computer information system including all the subsystems. A threat agent is an element that provides delivery mechanisms for a threat while an entity that initiates the launch of a threat is referred to as a threat actor (NIST, 2010). Threat actors are normally made more active through forces of too much curiosity or huge monetary gain without work or a big political leverage or any form of social activism and lastly by revenge (NIST, 2014). Intrusion Methods. Stealth port scans is an advanced technique in intrusion when port scanning can’t be detected by auditing tools. Normally, by observing frequent attempts to connect, in which no data is available, detecting intrusion is easy. In stealth port scans, ports scan are done at a very low rate such that it is hard
  • 11. for auditing tools to identify connections requests or malicious attempt to intrude into computer systems (NIST, 2010). Common gateway interface is an interface between client side computing and server side computing. Cyber criminals who are good programmers can break into computer systems even without the usual login capabilities. A server message block (SMB) works as an application layer protocol that functions by providing permissions to files, ports, processes and so on. A probe into SMB can check for shared entities that are available on the systems. If a cybercriminal uses an SMB probe, they can detect which files or ports are shared on the system. Linux Vulnerabilities A threat actor might purposefully launch a threat using an agent. A threat actor could be for instance be a trusted employee who commits an unintentional human error like a trusted employee who clicks on an email designed to be a phishing email then the email downloads a malware (NIST, 2010). Intrusion Methods. In OS fingerprinting attacks, the OS details of a target computer are looked after and the attacker goes for the same. Information looked after includes the vendor name, underlying OS, device type and such. In buffer overflow attacks, the inputs provided to a program overruns the buffer’s capacity and spills over to overwrite data stored at neighboring memory locations. The attacker usually sets the new values to point to a location where the exploit payload has been positioned (Rouse, 2017). This alters the execution path of the process and effectively transfers control to the attacker's malicious code. MAC Vulnerabilities · Hardware tampering: reported in MAC Tablets. Internal design procedures were not followed in manufacturing the apple devices. · Malicious software: discovered at the Payroll system using
  • 12. MAC system by programmers in department of labor. · Phishing attacks: occurred on a hacked distributed National Data Services system and reported to company. Mobile Device Vulnerabilities · Date entry error: reported in windows 7 devices in which Microsoft mobile databases reported complaints about illegal login for Department of social welfare. · Denial of service: reported in Windows 8 phones. Internal routines overloaded in MIT’S Mobile Lab. · Earthquake: hurricanes and earthquakes in China and Japan destroy tablets at home and in office. · Espionage: Occurred on a hacked facial recognition system for FBI and reported to Android databases. · Floods: Reported in parts of South America and Central Asia flooding homes and destroying mobile devices. Risk Comment by Hank Williams: Since you are also developing a RAR, then Risk should be addressed there, not in the SAR. When the risks have all been identified and risk levels determined, recommendations or countermeasures are drawn to mitigate or eliminate the risks. The goal is to reduce the risk to an acceptable level as considered by management just before system accreditation can be granted. The countermeasures draw their arguments from the following authoritative sources: · The effectiveness of the recommended options like system compatibility. · Legislation and regulations in place. · The strength of organization policy. · Overall Operational impact. · Safety and reliability of the system in consideration. Accepting Risk According to this risk assessment, 11 vulnerabilities were regarded as having low risk ratings, 15 as having moderate risk rating and 7 as having a high risk rating. These observations lead us to comment that the overall level of risk for the organization as Moderate.
  • 13. Transferring Risk Among the 33 total number of vulnerabilities identified, 49% are considered unacceptable because serious harm could result with the consequence of affecting the operations of the organization. Mitigating Risk Therefore, immediate mandatory countermeasures needs to be implemented so as to mitigate the risk brought about by these threats and resources should be made available so as to reduce the risk level to acceptable level. Eliminating Risk Of the identified vulnerabilities 51% are considered acceptable to the system because only minor problems may result from these risks and recommended countermeasures have also been provided to be implemented so as to reduce or eliminate risks. Vulnerability Assessment Methodology Comment by Hank Williams: The methodology should be early on in the paper, then followed by the actual vulnerabilities found. You didn’t really use the vuls found by MBSA and Open VAS. That would have been much more effective. Microsoft Baseline Security Analyzer (MBSA) and OpenVAS The MBSA security analyzer and the OpenVAS security also had routines which communicated with green bone security assessment center especially to provide the automated recommendation as evident in the Labs 2 and 3. The green bone security assessment center particularly succeeded in doing the following as evident in output file. Management has the option of doing the following in the corporation: · Accepting the risks and chosen recommended controls or negotiating an alternative mitigation, while reserving the right to override the green bone security assessment center and incorporate the proposed recommended control into the Amazons Plan of Action and Milestones. Conclusion This Risk Assessment Report (RAR) for the organization identifies risks of the operations especially in those domains
  • 14. which fails to meet the minimum requirements and for which appropriate countermeasures have yet to be implemented. The RAR also determines the Probability of occurrence and issues countermeasures aimed at mitigating the identified risks in an endeavor to provide an appropriate level of protection and to satisfy all the minimum requirements imposed on the organization’s policy document. The system security policy requirements are satisfied now with the exception of those specific areas identified in this report. The countermeasure recommended in this report adds to the additional security controls needed to meet policies and to effectively manage the security risk to the organization and its operating environment. Finally, the Certification Official and the Authorizing Officials (AO) must determine whether the totality of the protection mechanisms approximate a sufficient level of security, are adequate for the protection of this system and its resources and information. The Risk Assessment Report supplies critical information and should be carefully reviewed by the AO prior to making a final accreditation decision.
  • 15. References 1. Bradley, T. (October 17, 2016). Critical Vulnerability in Apple Mac OS. Retrieved from https://www.lifewire.com/critical-vulnerability-in-apple-mac- os-x-2487643 2. National Institute of Standards and Technology (NIST). (2010). Guide for applying the risk management framework to federal information systems. NIST Special Publication 800-37 Revision 1.Retrieved from http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37- rev1-final.pdf 3. National Institute of Standards and Technology (NIST). (2012). Guide for Conducting Risk Assessments. NIST Special Publication 800-30 Revision 1. Retrieved from http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublicatio n800-30r1.pdf 4. National Institute of Standards and Technology (NIST). (2014). Assessing security and privacy controls in federal information systems and organizations. NIST Special Publication 800-53A Revision 4. Retrieved from http://nvlpubs.nist.gov/nistpubs/ SpecialPublications/NIST.SP.800-53Ar4.pdf 5. National Institute of Standards and Technology (NIST). (2006). Electronic Authentication Guideline. NIST Special Publication 800-63 Revision 1.0.2. Retrieved from http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublicatio n800-63ver1.0.2.pdf 6. Rouse, M. (2017). Definition: buffer overflow. Retrieved from http://searchsecurity.
  • 16. techtarget.com/definition/buffer-overflow Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology by Gary Stoneburner, Alice Goguen, and Alexis Feringa comprises public domain material from the National Institute of Standards and Technology, Technology Administration, U.S. Department of Commerce. http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
  • 17. APPENDIX B: SAMPLE RISK ASSESSMENT REPORT OUTLINE EXECUTIVE SUMMARY I. Introduction • Purpose • Scope of this risk assessment Describe the system components, elements, users, field site locations (if any), and any other details about the system to be considered in the assessment. II. Risk Assessment Approach Briefly describe the approach used to conduct the risk assessment, such as— • The participants (e.g., risk assessment team members) • The technique used to gather information (e.g., the use of tools, questionnaires) • The development and description of risk scale (e.g., a 3 x 3, 4 x 4 , or 5 x 5 risk-level matrix). III. System Characterization Characterize the system, including hardware (server, router, switch), software (e.g., application, operating system, protocol), system interfaces (e.g., communication link), data, and users. Provide connectivity diagram or system input and output flowchart to delineate the scope of this risk assessment effort.
  • 18. IV. Threat Statement Compile and list the potential threat-sources and associated threat actions applicable to the system assessed. V. Risk Assessment Results List the observations (vulnerability/threat pairs). Each observation must include— • Observation number and brief description of observation (e.g., Observation 1: User system passwords can be guessed or cracked) • A discussion of the threat-source and vulnerability pair • Identification of existing mitigating security controls • Likelihood discussion and evaluation (e.g., High, Medium, or Low likelihood) • Impact analysis discussion and evaluation (e.g., High, Medium, or Low impact) • Risk rating based on the risk-level matrix (e.g., High, Medium, or Low risk level) • Recommended controls or alternative options for reducing the risk. VI. Summary Total the number of observations. Summarize the observations, the associated risk levels, the SP 800-30 Page B-1
  • 19. recommendations, and any comments in a table format to facilitate the implementation of recommended controls during the risk mitigation process. SP 800-30 Page B-2 (1) Risk (Vulnerability/ Threat Pair) (2) Risk Level (3) Recommended Controls (4) Action Priority (5) Selected Planned Controls
  • 20. (6) Required Resources (7) Responsible Team/Persons (8) Start Date/ End Date • Disallow inbound telnet • Disallow “world” access to sensitive company files • Disabled the guest ID
  • 21. APPENDIX C: SAMPLE SAFEGUARD IMPLEMENTATION PLAN SUMMARY TABLE (9) Maintenance Requirement/ Comments Unauthorized users can telnet to XYZ server and browse sensitive company files with the guest ID. High • Disallow inbound telnet • Disallow “world” access to sensitive company files • Disable the guest ID or assign difficult-to-guess password to the guest ID High 10 hours to reconfigure and test the
  • 22. system John Doe, XYZ server system administrator; Jim Smith, company firewall administrator 9-1-2001 to 9-2-2001 • Perform periodic system security review and testing to ensure adequate security is provided for the XYZ server (1) The risks (vulnerability/threat pairs) are output from the risk assessment process (2) The associated risk level of each identified risk (vulnerability/threat pair) is the output from the risk assessment process (3) Recommended controls are output from the risk assessment process (4) Action priority is determined based on the risk levels and available resources (e.g., funds, people, technology) (5) Planned controls selected from the recommended controls for implementation (6) Resources required for implementing the selected planned
  • 23. controls (7) List of team(s) and persons who will be responsible for implementing the new or enhanced controls (8) Start date and projected end date for implementing the new or enhanced controls (9) Maintenance requirement for the new or enhanced controls after implementation. SP 800-30 Page C-1 MBSA OpenVAS Wireshark
  • 24. Nmap Project 3 Start Here Transcript The security posture of the information systems infrastructure of an organization should be regularly monitored and assessed (including software, hardware, firmware components, governance policies, and implementation of security controls). The monitoring and assessment of the infrastructure and its components, policies, and processes should also account for changes and new procurements that are sure to follow in order to stay in step with ever-changing information system technologies. The data breach at the Office of Personnel Management (OPM) is one of the largest in US government history. It provides a series of lessons learned for other organizations in industry and the public sector. Some critical security practices, such as lack of diligence to security controls and management of changes to the information systems infrastructure were cited as contributors to the massive data breach in the OPM Office of the Inspector General's (OIG) Final Audit Report, which can be found in open source searches. Some of the findings in the report include: weak authentication mechanisms; lack of a plan for life-cycle management of the information systems; lack of a configuration management and change management plan; lack of inventory of systems, servers, databases, and network devices; lack of mature vulnerability scanning tools; lack of valid authorizations for many systems, and lack of plans of action to remedy the findings of previous audits. The breach ultimately resulted in removal of OPM's top leadership. The impact of the breach on the livelihoods of millions of people is ongoing and may never be fully known. There is a critical need for security programs that can assess
  • 25. vulnerabilities and provide mitigations. There are 10 steps that will lead you through this project. You should complete Project 3 during Weeks 2-5. After beginning with the workplace scenario, continue to Step 1: "Organizational Background." When you submit your project, your work will be evaluated using the competencies listed below. You can use the list below to self-check your work before submission. · 1.1: Organize document or presentation in a manner that promotes understanding and meets the requirements of the assignment. · 1.2: Develop coherent paragraphs or points to be internally unified and function as part of the whole document or presentation. · 1.3: Provide sufficient, correctly cited support that substantiates the writer’s ideas. · 1.4: Tailor communications to the audience. · 1.5: Use sentence structure appropriate to the task, message and audience. · 1.6: Follow conventions of Standard Written English. · 5.2 Enterprise Architecture: Knowledge of architectural methodologies used in the design and development of information systems, including the physical structure of a system's internal operations and interactions with other systems and knowledge of stan · 5.6: Technology Awareness: Explore and address cybersecurity concerns, promote awareness, best practice, and emerging technology · 7.3: Risk Management : Knowledge of methods and tools used for risk management and mitigation of risk · 8.1: Incident Detection: Demonstrate the abilities to detect, identify, and resolve host and network intrusion incidents. · 8.2: Incident Classification: Possess knowledge and skills to categorize, characterize, and prioritize an incident as well as to handle relevant digital evidence appropriately. Step 1: Organizational Background
  • 26. Perform quick independent research on organizational structure in your industry sector. Describe the background of your organization, including the purpose, organizational structure, the network system description, and a diagram of the organization. Include LAN, WAN, and systems in diagram format, the intra-network, and WAN side networks, and the internet. Identify the boundaries that separate the inner networks from the outside networks. Take time to click on and read about the following computing platforms available for networks, then include a description of how these platforms are implemented in your organization: · common computing platforms · cloud computing · distributed computing · centralized computing · secure programming fundamentals This information can be fictitious, or modeled from existing organizations. Be sure to cite references. Step 2: Organizational Threats You just provided detailed background information on your organization. Next, you’ll describe threats to your organization’s system. Before you get started, select and explore the contents of the following link: insider threats (also known as internal threats). As you’re reading, take note of which insider threats are a risk to your organization. Now, differentiate between the external threats to the system and the insider threats. Identify where these threats can occur in the previously created diagrams. Define threat intelligence, and explain what kind of threat intelligence is known about the OPM breach. Relate the OPM threat intelligence to your organization. How likely is it that a similar attack will occur at your organization? Step 3: Scanning the Network Note: You will utilize the tools in Workspace for this step. If you need help outside the classroom to complete this project, you must register for CLAB 699 Cyber Computing Lab Assistance (go to the Discussions List for registration
  • 27. information). Primary lab assistance is available from a team of lab assistants. Lab assistants are professionals and are trained to help you. Click here to access the Project 3 Workspace Exercise Instructions. Explore the tutorials and user guides to learn more about the tools you will use. You will perform this lab in Step 7. In order to validate the assets and devices on the organization's network, run scans using security and vulnerability assessment analysis tools such as MBSA, OpenVAS, Nmap, or NESSUS depending on the operating systems of your organization's networks. Live network traffic can also be sampled and scanned using Wireshark (we do this in step 7) on either the Linux or Windows systems. Wireshark allows you to inspect all OSI Layers of traffic information. Click the following link to read more about these network monitoring tools: Tools to Monitor and Analyze Network Activities. Provide the report as part of the SAR. Review the information captured in these two links message and protocols and Transmission Control Protocol/Internet Protocol (TCP/IP), and identify any security communication, message and protocols, or security data transport methods used such as (TCP/IP), SSL, and others. Make note of this, as it should be mentioned in your reports.Step 4: Identifying Security Issues You have a suite of security tools, techniques, and procedures that can be used to assess the security posture of your organization's network in a SAR. Now it's time to identify the security issues in your organization's networks. You have already used password cracking tools to crack weak and vulnerable passwords. Provide an analysis of the strength of passwords used by the employees in your organization. Are weak passwords a security issue for your organization?Step 5: Firewalls and Encryption Next, examine these resources on firewalls and auditing– RDBMS related to the use of the Relational Database Management System (i.e., the database system and data)
  • 28. RDBMS. Also review these resources related to access control. Determine the role of firewalls and encryption, and auditing – RDBMS that could assist in protecting information and monitoring the confidentiality, integrity, and availability of the information in the information systems. Reflect any weaknesses found in the network and information system diagrams previously created, as well as in the developing SAR. Step 6: Threat Identification You know of the weaknesses in your organization's network and information system. Now you will determine various known threats to the organization's network architecture and IT assets. Get acquainted with the following types of threats and attack techniques. Which are a risk to your organization? · IP address spoofing/cache poisoning attacks · denial of service attacks (DoS) · packet analysis/sniffing · session hijacking attacks · distributed denial of service attacks In identifying the different threats, complete the following tasks: 1. Identify the potential hacking actors of these threat attacks on vulnerabilities in networks and information systems and the types of remediation and mitigation techniques available in your industry, and for your organization. 2. Identify the purpose and function of firewalls for organization network systems, and how they address the threats and vulnerabilities you have identified. 3. Also discuss the value of using access control, database transaction and firewall log files. 4. Identify the purpose and function of encryption, as it relates to files and databases and other information assets on the organization's networks. Include these in the SAR. Step 7: Network Analysis Note: You will utilize the tools in Workspace for this step. You will now investigate network traffic, and the security of the
  • 29. network and information system infrastructure overall. Past network data has been logged and stored, as collected by a network analyzer tool such as Wireshark. Select the following link to enter Workspace and complete the lab activities related to network vulnerabilities. Perform a network analysis on the Wireshark files provided to you in Workspace and assess the network posture and any vulnerability or suspicious information you are able to obtain. Include this information in the SAR. Further analyze the packet capture for network performance, behavior, and any suspicious source and destination addresses on the networks. In the previously created Wireshark files, identify if any databases had been accessed. What are the IP addresses associated with that activity? Include this information in the SAR. Step 8: Suspicious Activity Note: You will utilize the tools in Workspace for this step. Hackers frequently scan the Internet for computers or networks to exploit. An effective firewall can prevent hackers from detecting the existence of networks. Hackers continue to scan ports, but if the hacker finds there is no response from the port and no connection, the hacker will move on. The firewall can block unwanted traffic and NMap can be used to self-scan to test the responsiveness of the organization's network to would- be hackers. Select the following link to enter Workspace and conduct the port scanning. Provide your findings in the SAR deliverable. Provide analyses of the scans and any recommendation for remediation, if needed. Identify any suspicious activity and formulate the steps in an incidence response that could have been, or should be, enacted. Include the responsible parties that would provide that incidence response and any follow-up activity. Include this in the SAR. Please note that some scanning tools are designed to be undetectable. While running the scan and observing network activity with Wireshark, attempt to determine the detection of the scan in progress. If you cannot identify the scan as it is occurring, indicate this in your
  • 30. SAR.Step 9: Risk and Remediation What is the risk and what is the remediation? What is the security exploitation? You can use the OPM OIG Final Audit Report findings and recommendations as a possible source for methods to remediate vulnerabilities. Read this risk assessment resource to get familiar with the process, then prepare the risk assessment. Be sure to first list the threats, then the vulnerabilities, and then pairwise comparisons for each threat and vulnerability, and determine the likelihood of that event occurring, and the level of impact it would have on the organization. Use the OPM OIG Final Audit Report findings as a possible source for potential mitigations. Include this in the risk assessment report (RAR). Step 10: Creating the SAR and RAR Your research and Workspace exercise have led you to this moment: creating your SAR and RAR. Consider what you have learned in the previous steps as you create your reports for leadership. Prepare a Security Assessment Report (SAR) with the following sections: 1. Purpose 2. Organization 3. Scope 4. Methodology 5. Data 6. Results 7. Findings The final SAR does not have to stay within this framework, and can be designed to fulfill the goal of the security assessment. Prepare a Risk Assessment Report (RAR) with information on the threats, vulnerabilities, likelihood of exploitation of security weaknesses, impact assessments for exploitation of security weaknesses, remediation, and cost/benefit analyses of remediation. Devise a high-level plan of action with interim milestones (POAM), in a system methodology, to remedy your findings. Include this high-level plan in the RAR. Summarize
  • 31. the results you obtained from the vulnerability assessment tools (i.e., MBSA and OpenVas) in your report. The deliverables for this project are as follows: 1. Security Assessment Report (SAR): This should be an 8-10 page double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables, or citations. 2. Risk Assessment Report (RAR): This report should be a 5-6 page double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables, or citations. 3. In a Word document, share your lab experience and provide screen prints to demonstrate that you performed the lab. Submit your deliverables to the assignment folder. Before you submit your assignment, review the competencies below, which your instructor will use to evaluate your work. A good practice would be to use each competency as a self-check to confirm you have incorporated all of them in your work. · 1.1: Organize document or presentation in a manner that promotes understanding and meets the requirements of the assignment. · 1.2: Develop coherent paragraphs or points to be internally unified and function as part of the whole document or presentation. · 1.3: Provide sufficient, correctly cited support that substantiates the writer’s ideas. · 1.4: Tailor communications to the audience. · 1.5: Use sentence structure appropriate to the task, message and audience. · 1.6: Follow conventions of Standard Written English. · 5.2 Enterprise Architecture: Knowledge of architectural methodologies used in the design and development of information systems, including the physical structure of a system's internal operations and interactions with other systems and knowledge of stan
  • 32. · 5.6: Technology Awareness: Explore and address cybersecurity concerns, promote awareness, best practice, and emerging technology · 7.3: Risk Management : Knowledge of methods and tools used for risk management and mitigation of risk · 8.1: Incident Detection: Demonstrate the abilities to detect, identify, and resolve host and network intrusion incidents. · 8.2: Incident Classification: Possess knowledge and skills to categorize, characterize, and prioritize an incident as well as to handle relevant digital evidence appropriately. Basically, you are going to have a network diagram that shows the different levels of the network (backend, intranet, DMZ, frontend applications, etc) all the way through to the internet. Show how you are separating the logical portions (firewalls, switches, VLANs, etc).