Cyber-Security Issues - Assignment Example

University Affiliation:

Cyber-Security

Equifax was the subject to a serious data breach and the response to that has been poorly managed over the past few months. Discuss the nature of the attack, how the management handled it, how it could have been prevented, and the impact on the company and its customers.

The devastating cyber-attack of Equifax was as a result of Apache Struts vulnerability that affected about 143 million customers. In this attack, hackers stole private information about customers such as passwords, credit-card numbers etc. which was only meant for the company. According to Moore (2017), the attack was in progress for about 5 months before it was realized and he argues that some experts believed the Equifax data breach was due to an older vulnerability which they were aware of and could have been prevented. After the attack, the management apologized and took immediate steps to prevent continuous damage which included credit monitoring, credit freezes, fraud alerts and also threat protection identification (Hedley & Jacobs, 2017). This was a positive step but it did not prevent the servers from being attacked again. The Equifax breach was analyzed down to vulnerability attack that suggested modern attackers are aware of all types of vulnerabilities of attacking system’s firewall. To this end, all IT personnel should give vulnerability management highest priority which calls for a change of process. On the other hand, the vice president of CardConnect Justin Shipe argues that preventing such attacks often need more than a change of process.

On a scale of 0 to 10 (where 10 is the highest), Apache Struts vulnerability is rated at 9 meaning the breach was too heavy for Equifax to handle. According to Moore (2017), Equifax needed Intrusion Detection System (IDS) and he suggests lack of security knowledge was the main factor for the data breach and more power should be given to risk management teams or hire third-party audits with a good reputation to manage their security policies. The breach affected the steady company profits and growth. To customers, they felt insecure with their personal information and wondered how secure is their personal information that they keep on giving to those they trusted.

You work for a major Washington, DC law firm. Your only senior cyber-security specialist, who was with the company for 2 years, just quit and has a better job with a major competitor for a substantial increase in pay and less hours. He gave 2 weeks’ notice. What is your next course of action as the CISSO to minimize the risks to the company, including finding some form of replacement?

As a CISSO who has worked with the same senior cyber-security officer for 2 years must have noticed that the individual is very competent and hardworking for him/her to win the new job with more pay and fewer hours. As a leader in this position, it should also be the opportunity to put your hiring skills to test by hiring someone competent and hardworking either like the senior specialist or someone better because you have 2 more years of experience. According to Goetsch and Davis (2014), they argue two weeks is enough time to post an advert on television. The advantage the manager will have is the new employees will be interviewed by the current senior cyber-security specialist and him and decide on who is best for that position.

Secondly, being a senior specialist means you have access to some business secrets and organization’s plans that keep the company top of its competitors. For a senior specialist to accept the offer from a competitor company, this is a big minus to the company. Von Solms and Van Niekerk (2013) suggest to cope with the sudden change, either the manager could use his senior specialist to leak a few business strategies the competitor plans to deploy or look for a similar senior employee from the competitor company that could be updating you on what plans are underway in order to remain top or relevant in the market. They continue and explain that chances are higher the current specialist will be subjected to talks on how to better the new company and s/he will share some plans that they had with the old company. So taking immediate actions before the senior specialist clears with the company will help the manager to deal with the situation.

You work as the CISO for a manufacturing company in Pittsburg, PA that has a small cybersecurity staff as part of its IT department. The CEO asks you whether this is the right place for the growing cybersecurity program. As part of a memo to the CEO, discuss the pros and cons of moving the cybersecurity group to another organizational unit including the CFO office, the legal department, or the privacy group.

Moving security groups to other organizational units can be considered as decentralization. Decentralization is a new technology that allows organizations to transfer or move departments from a large organization away to a single administrative center. According to Von Solms and Van Niekerk (2013), they argue that one of the greatest importance of moving organizations is it prevents putting all your legs in the same basket which is one of the leading causes of organizational failure. In cases when part of the domain controller fails, using multiple controllers could provide a level of fault tolerance unlike relying on one server and if it fails, the organizational tasks are also paralyzed. Von Solms and Van Niekerk (2013) suggest not only will transferring organization enable faster innovation but also employee takes considerable ownership of risk.

Decentralizing organizations can also create greater chances of achieving organizational goals much quicker because more organizational branches mean more access to customers which in turn helps the organization to gain acceptability in the market. Lastly, moving to other organization units can improve chances of detecting security breaches before it paralyzes a section of the system first (Rittinghouse & Ransome, 2016). Contrary to the importance of decentralizing organizations, Kirda (2017) explains not only will moving organization requires more consistent and stronger communication but also it needs more resources to employ more staff or else the organization will not be productive. Lastly, in decentralized organizations, risk can be mischaracterized or overlooked (Kirda, 2017)

Explain how an organization’s information security policy needs to be integrated with policies of at least three other departments found in an average size business, including Human Resources. Describe how one can impact another and give specific examples.

A set of rules approved by an organization to make sure every user or staff of an organization abide by the directions regarding data security digitally stored within the organization is referred to as information security policy (ISP). According to Safa, Von Solms and Furnell (2016), integrity, availability, and confidentiality are the key elements of ISP which determined if integration conducted will be successful. One of the factors to consider when integrating department policies is information security objectives. Safa et al., (2016) argues that organizations that succeed in developing a working ISP usually have well-defined goals that guide their departments. Without well-defined goals, the ISP will not be effective to all departments.

Secondly, the departments must have a similar scope. ISP addresses all programs, data, facilities, and systems of third parties and technological users of an organization without special cases. Lastly, all the departments must have something to protect and their data is one of them. A security program helps to protect nothing but data which means what characterizes a business’ value is its own data. Data to be protected may include plans, designs, source code, customer information, product information, and drawings. Data breaching is as a result of not protecting your data confidentiality. Failure in data integrity could lead to a Trojan horse to be compiled within your software. To ensure all these data problems are sorted, all the departments coming together to integrate their policies must see their data being valuable (Cherdantseva, Burnap, Blyth, Eden, Jones, Soulsby & Stoddart, 2016).

There are several NIST documents that can be used to determine the shape of a cybersecurity department. Select two of these and discuss how they might be of value to a small commercial business.

National Institute of Standards and Technology (NIST) is a non-regulatory agency of Commerce based in the US whose mission is to promote industrial competitiveness and innovations. Some of the documents that NIST published and could be used to determine the shape of a cybersecurity department include the “Guide to Cyber Threat Information Sharing”, the “NIST Releases Cybersecurity Framework Version 1.0” and the “Cybersecurity Best Practices Guide for IIROC Dealer Members”. According to Zheng and Lewi (2015), from their abstract, they explained the document was mainly intended for privacy officers, network and system administrators, and security staff where all the targeted groups are departments of small businesses.

With knowledge on these documents, the commercial business will learn how to handle sensitive information, the challenges and importance of sharing information, the benefits of building trust, and also the documents provide guidelines that can help the security and privacy team improve risk management tasks and cyber-security operations. All the above mentioned tasks are key to the success of the business (Zheng & Lewis, 2015). The NIST Releases Cybersecurity Framework also explains the six ways to develop a secure culture in business. The guide will equip the small commercial business with knowledge on how to store their sensitive data away from attackers making the business gain good reputation and trust from its customers. Lastly, Von Solms and Van Niekerk (2013) suggests that focusing on privacy and cybersecurity is a step towards the success of the business. They add that strategy and transformation (advancement through the implementation of new technology), privacy and customer protection (building trust and begin growing), implementation and operations (integrate and improve technology), and finally incident and threat management (identify and respond to threat) are the four main elements of propelling transformation and achieving business growth that the small business can borrow. To this end, the documents not only give direction on how to identify and respond to threats but also guides the business from start to finish on matters concerning cybersecurity and privacy of organizational data.

Identify at least three tools that are commonly used to automate cybersecurity risk assessment. Describe the product, its functionality, the implementation platform, and the costs over a five-year period.

For about fifteen years ago, cyber-attacks have been used to breach company data whose losses are immense. With the constant increase of cyber threats, companies with the help from the government began developing tools to help identify, understand, and mitigate these attacks to prevent data breach. Some examples of these tools include FFIEC Cyber-Security Assessment Tool (FFIEC), Baldrige Cyber-Security Excellence Builder (BCEB) and the vsRisk.

The FFIEC tool was designed to assist institutions to identify risks and determine their preparedness. The tool conducts a two-part survey. They include the cyber-security maturity assessment used in the identification of preparedness level of an organization and the inherent risk profile used to determine the current level of cyber-security of an organization (Sommestad, Ekstedt & Holm, 2013). According to Nate (2017), the FFIEC’s inherent risk profile has 5 categories: delivery channels, technology and connection types, organizational characteristics, external threats, and the Online or mobile products and tech services. The FFIEC’s maturity assessment has 6 sub categories : cyber incident management resilience, external dependency management, cybersecurity controls, cyber risk management and oversight and threat intelligence and collaboration (Nate, 2017). Some of the FFIEC’s benefits include the use of the repeatable and measurable process in assessing risk preparedness in a duration of time and determines what level an organization is exposed to (Nate, 2017). The product ranges from $4,500 to $5,500.

The second tool is the Baldrige Cyber-Security Excellence Builder (BCEB). According to Moore (2017), the developers of the tool developed it with five functions in mind: identification (ID), protection (PR), detection (DE), response (RS), and recovery (RC) functionality. BCEB’s functionality includes identification of priorities to be implemented, assessment of cyber-security results and, prioritize investment of cyber-security risk management (Moore, 2017).

Lastly is the vsRisk tool. The tool reduces the heavy burden of relying on spreadsheets and provides a reliable, robust and consistent risk assessment. After threat has been identified and analyzed, the tool can generate well-organized reports which can be used by IT specialist to learn more about how the organization has been responding to cyber-attack (Sommestad et al., 2013)

You are tasked with selecting a security management model for your medium-sized professional services organization. Compare the pros and cons for each model and develop a set of evaluation criteria that might be used to select the correct one for your company.

ISO 27000 Series

Pros

Con

• Assures clients and employees that their data is safe wit the company.
• Compliance and security
• Improves focus and structure of an organization
• Marketing advantage
• Lowering the expenses
• Puts your business in order
• Enhances and protects your reputation

• Not mandatory to share targets
• Time consuming
• Restricted to business-to-business
• Limited customer awareness
• Completely independent assessment

Table 1: ISO 27000 Series (Cherdantseva et al., 2016)

NIST Security Model

Pros

Con

• Vetted by organization
• Engages stakeholders
• Broadly and neutral applicable

• Time consuming
• Limited customer awareness

Table 2: NIST (Casola, De Benedictis, Modic, Rak & Villano, 2016)

COBIT (Control Objectives for Information and Related Technology)

Pros

Con

• Has direct impact to the business both strategic and operational
• Minimizes risk
• Regulatory environment
• Helps to build trust
• Efficient and productive
• Increases capability
• Credible
• Accessible

• Time consuming

Table 3: COBIT (Cherdantseva et al., 2016)

COSO (Committee of Sponsoring Organizations of the Treadway Commission)

Pros

Con

• Improves cyber-security
• Saves major costs
• Improves internal control mainly especially in risk management
• Pays more attention from investors
• Offer complete guideline for an effective risk management

• Focuses a lot on internal control neglecting external environment influence towards business risk
• Gaps in controls
• No usable list of controls
• Stakeholders are not involved fully
• Uses probability in measuring risk

Table 4: COSO (Casola, 2016)

ITIL (Information Technology Infrastructure Library)

Pros

Con

• Improves customers’ relationship and satisfaction
• Reliable and offers quality services
• Proven and used worldwide
• Competitive advantage through agile changes and value creation
• Manages business risks better
• Improves service delivery
• Higher visibility of assets and IT cost
• Reduces costs

• Time consuming to implement
• Disruptive when imposing change to an organization
• Short-term needs easily disrupt sustained efforts
• Costly when it comes to training
• Takes too long to start seeing benefits

Table 5: ITIL (Cherdantseva et al., 2016)

There are several vendors that offer digital certificates. Review at least 3 of them and make a recommendation for a small on-line retailer start-up. List the criteria that should be used to evaluate the products and make a recommendation.

Today, most businesses operate online and with cyber-attacks every corner, nobody is to be trusted as a user. To ensure all data from user forms are secure and encrypted before being sent to the server, developers turn to a digital certificate. A digital certificate can be defined as the electronic message attachment basically used to enhance security while browsing (Cherdantseva et al., 2016). Digital certificate’s main role is to verify the user rending the request or message is exactly who s/he claims to be and provide the recipient with an encrypted response. According to Liu, Barnes and Andrews (2017), there are basically 3 types of digital certificates which include the client certificate, code signing certificate and the secure socket layer (SSL).

From the description above, the certificate is meant for a small online retail shop. Attackers do not target small shops to breach data from them but nevertheless, the best certificate for this would be the one installed on the server to prevent server-side execution from unwanted requests. To this end, the SSL certificate is the most preferred for the retail shop. (Cherdantseva et al., 2016) explains that since it is a starting retail shop, something cheap and very effective is the way to go. SSL certificate goes for about $10-$20 annually which is affordable. Not only is SSL affordable but also provides trust to your customers when they like your online retail shop to their preferred payment methods (Liu et al., 2017). SSL certificate also encrypts sensitive information such as credit card security key and username and password of the user boosting security (Liu et al., 2017)

The CEO for a small university in Kirby, Wyoming just came back from a board meeting where cloud computing was recommended as a cost-saving measure. She is asking you to summarize which assets could be moved to the cloud and which should be retained in-house for security reasons. Justify your rationale.

The world today is enjoying the cloud computing technology which has made a lot of things to happen such as E-commerce, online flight booking and other government services which in the old days, you had to queue for hours. Institutions are not left behind because not all students of a university can fit into the university library at the same time. Better ways have to be implemented to ensure all students get best services at all times. According to Rittinghouse and Ransome (2016), they argue that in a university scenario, the school library, email server, disaster recovery, application server, database server and web server are some of the assets to be moved to the cloud. Desktop computers will be left in the house where the public internet will be used to interact with the online assets.

In the cloud, Rittinghouse and Ransome (2016) explain the email server will be used to send both emails and SMS to students and staff. This can work best if it has been pre-programmed to be sending the messages for a duration of time. The database server will be used to process requests from students pertaining required books from the library and financial records. The application server will be used to run the software such as operating systems and other software like anti-virus to boost security in the cloud. Lastly, the disaster recovery will be used to create regular automated backups of the database and files to prevent them from loss for cases of attacks (Cherdantseva et al., 2016).

You work for a small bank. One of the branch managers in Albuquerque, NM just called to say that his branch computers have become infected with ransomware and his branch is no longer able to process transactions. What questions are you going to ask about the infection, what directions are you going to give to the branch manager, who has no technical support at the remote location, and what steps are you going to take to prevent it from spreading to the other 15 branches.

Banks use virtual private networks (VPN) to transact business for security purposes. VPNs are very secure since they use highly encrypted credentials during authentication. For that matter, the first thing that pops into my mind is who were among the last people to have access to the computer before the ransom-ware was discovered? At what time was the ransom-ware discovered? Apart from that, from the server, which user has access to what computer and what did they do? On the other end, this could be an inside job where a staff attacked the computer or was used to gain access to the computer. Since the branch manager is illiterate, Kirda (2017) suggests that shutting down all computers from the main power source could be an appropriate way to prevent further attacks considering that nobody in the bank is conversant with the attack.

In some situations, the power’s switches could not be accessed from within the bank calling for different measures to prevent the spreading of the ransom-ware. One, I would ensure s/he filters the “.exe” file extensions over email by ensuring all the downloaded file extensions are what they normally use or block attachment downloads from the online server. Two, I would give him guidance on how to disable files executing from the AppData/LocalAppData directory because just in case an executable file had downloaded before, it could be found in that directory by default so preventing it from executing is a way to prevent it from spreading. Lastly, scanning a computer involves a few clicks and guiding him on how to scan the whole computer to remove suspicious files is a way to prevent ransom-ware from spreading (Cherdantseva et al., 2016).

Reference

Casola, V., De Benedictis, A., Modic, J., Rak, M., & Villano, U. (2016, June). Per-service security SLA: a new model for security management in clouds. In Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE), 2016 IEEE 25th International Conference on (pp. 83-88). IEEE.

Cherdantseva, Y., Burnap, P., Blyth, A., Eden, P., Jones, K., Soulsby, H., & Stoddart, K. (2016). A review of cyber security risk assessment methods for SCADA systems. computers & security, 56, 1-27.

Goetsch, D. L., & Davis, S. B. (2014). Quality management for organizational excellence. Upper Saddle River, NJ: pearson.

Hedley, D., & Jacobs, M. (2017). The shape of things to come: The Equifax breach, the GDPR and open-source security. Computer Fraud & Security, 2017(11), 5-7.

Kirda, E. (2017, February). UNVEIL: A large-scale, automated approach to detecting ransomware (keynote). In Software Analysis, Evolution and Reengineering (SANER), 2017 IEEE 24th International Conference on (pp. 1-1). IEEE.

Liu, Q., Barnes, K., & Andrews, R. F. (2017). U.S. Patent No. 9,680,819. Washington, DC: U.S. Patent and Trademark Office.

Moore, T. (2017). On the harms arising from the Equifax data breach of 2017. International Journal of Critical Infrastructure Protection, 19, 47-48.

Nate, L. (2017). The FFIEC Cybersecurity Assessment Tool: A Framework for Measuring Cybersecurity Risk and Preparedness in The Financial Industry. Retrieved from https://digitalguardian.com/blog/ffiec-cybersecurity-assessment-tool-framework-measuring-cybersecurity-risk-and-preparedness

Rittinghouse, J. W., & Ransome, J. F. (2016). Cloud computing: implementation, management, and security. CRC press.

Safa, N. S., Von Solms, R., & Furnell, S. (2016). Information security policy compliance model in organizations. computers & security, 56, 70-82.

Sommestad, T., Ekstedt, M., & Holm, H. (2013). The cyber security modeling language: A tool for assessing the vulnerability of enterprise system architectures. IEEE Systems Journal, 7(3), 363-373.

Von Solms, R., & Van Niekerk, J. (2013). From information security to cyber security. computers & security, 38, 97-102.

Zheng, D. E., & Lewis, J. A. (2015). Cyber Threat Information Sharing.