Penetration Testing - Threats, Attacks, and Vulnerability Assessment
willymax93
|
CMGT/400 Week 1 Assignment – Threats, Attacks, and Vulnerability Assessment
XYZ Corp is a leading manufacturer of medical devices and equipment. XYZ Corp produces health care products and supplies for diagnostics survey, patient care, and medical laboratories.
[A Cyber Security Threat Analyst conducts analysis, digital forensics, and targeting to identify, monitor, assess, and counter cyber-attack threats against information systems, critical infrastructure, and cyber-related interests. Take on the role of a Cyber Security Threat Analyst for the approved organization you chose. Research the following information about the organization you chose and complete the Threats, Attacks, and Vulnerability Assessment template. ]
Assessment Scope
What are the tangible assets included? (Must include virtualization, cloud, database, network, mobile, information systems)
Identify all information systems, critical infrastructure, and cyber-related interests and combinations that will be assessed. Also, describe information systems, critical infrastructure, and cyber-related interests which will not be assessed and explain why.
Assessed information systems, critical infrastructure, and cyber-related interests to be assessed
1. Physical facility security and access
2. Salesforce.com cloud based CRM system (AWS)
3. Network infrastructure
4. File systems
5. SAP ERP applications (AWS)
6. Oracle database servers (AWS) (On Premise)
7. PeopleSoft HR applications (AWS)
8. Mobile access to on premise and cloud based information systems
Information systems, critical infrastructure, and cyber-related interest which will not be assessed
1. ADP Payroll system: Will not be included in this security assessment: KPMG will audit the security of this system as part of their yearly payroll system audit
2. Accounting systems (General ledger, accounts payable, accounts receivable): KPMG will audit accounting system security as art of their yearly accounting system audits
system model
A diagram and descriptions of each asset included in the assessment scope.
Existing Countermeasures
Describe existing countermeasures already in place.
1. Outsourced denial of service monitoring and resolution to cloud based provider.
2. Installed intrusion detection systems, firewalls, and honeypots
3. Implemented physical facility access control through employee badge system
4. Timely software application updates
5. Password policy enforcement
Threat Agents and possible attacks
Define 12 to 15 threat agents and possible attacks.
A threat agent is a specific object, person, organization, government, or entity who poses a danger of carrying out a cyber security attack against anker organization.
Threat Agent |
Attack Purpose |
Possible Attack |
Competitor |
Industrial Espionage |
Social Engineering to gain access to an organizations intellectual property, including customer lists and product innovations. |
Hackers |
Challenge of hacking into and gaining access to an organization’s systems |
Deliberate software attacks: Viruses, worms, macros, denial-of-service |
Internal Employee |
Unintentional acts of human error or failure |
Accidents, employee mistakes |
Cyber Criminal - Extortion |
Deliberate acts of information extortion |
Man in the middle attack |
Cyber Criminal - Sabotage |
Deliberate acts of sabotage or vandalism |
Password cracking, escalation of privilege, key file destruction |
Cyber Criminal – Espionage |
Deliberate acts of espionage or trespass |
Network scanning for open, unsecure ports |
Cyber Warfare |
Deliberate acts of cyber warfare perpetrated by one or more countries on another country or countries |
Denial of service to halt critical infrastructure such as the electric grid of a nation |
Cyber Terrorism |
Deliberate cyber-attacks to forward terrorist initiatives and agendas |
Communicating terrorist messages, threats, or manipulation on social media and organizational websites. Use of malware to gain illegal access to an organization’s IT assets and use them to further cyber terrorism initiatives |
Forces of nature |
NA |
Fire, flood earthquake |
Technical hardware failures and errors |
NA |
Equipment failure |
Technical software failures |
NA |
Software defects |
Contractor |
Deliberate acts of theft |
Illegal confiscation of equipment or information |
Exploitable Vulnerabilities
Identify 7 to 9 exploitable vulnerabilities.
1. Acts of human error or failure: inexperience and improper training
2. Lack of intrusion detection systems to control access to an organizations technical assets
3. Unprotected shares: vulnerabilities and configuration issues in an organizations file systems
4. Technology obsolescence: not updating software applications to current versions
5. Open and unprotected ports
6. Poorly written software code and applications: buffer overflow and SQL injection
7. Lack of physical security
8. Allowing unsecure mobile devices to connect to an organization’s IT infrastructure
9. Employees leaving their computer screens unlocked and unattended
10. Written passwords on sticky notes attacked to computer monitor, under keyboard, or in desk drawer
Threat History / Business Impact
Threat History Events |
Duration |
Business Impact |
Threat Resolution |
Denial of service attack |
2 days |
Reduced or illuminated customer access to organization’s customer facing websites and cloud based computing applications |
Outsourced denial of service monitoring and resolution to cloud based provider. |
Hacker scanning and access of organization’s devices and networks |
Ongoing |
Theft of intellectual property |
Installed intrusion detection systems, firewalls, and honeypots |
Phishing attacks |
Ongoing |
Employees creating individual and organizational risk by inappropriately accessing phishing emails |
Employee cyber security training |
Hardware failure |
1 week |
Order entry system did not work for one week |
Created appropriate backup and recovery processes to protect against hardware failure |
Physical theft of equipment |
3 weeks |
Company equipment and employee belongs were stolen during a 3 week period |
Implemented physical facility access control through employee badge system |
Risks and Contingencies Matrix