Penetration Testing - Threats, Attacks, and Vulnerability Assessment

profilewillymax93
CMGT400Week1_SampleThreatsAttacksAndVulnerability_XYZCorp.docx

CMGT/400 Week 1 Assignment – Threats, Attacks, and Vulnerability Assessment

XYZ Corp is a leading manufacturer of medical devices and equipment. XYZ Corp produces health care products and supplies for diagnostics survey, patient care, and medical laboratories.

[A Cyber Security Threat Analyst conducts analysis, digital forensics, and targeting to identify, monitor, assess, and counter cyber-attack threats against information systems, critical infrastructure, and cyber-related interests. Take on the role of a Cyber Security Threat Analyst for the approved organization you chose. Research the following information about the organization you chose and complete the Threats, Attacks, and Vulnerability Assessment template. ]

Assessment Scope

What are the tangible assets included? (Must include virtualization, cloud, database, network, mobile, information systems)

Identify all information systems, critical infrastructure, and cyber-related interests and combinations that will be assessed. Also, describe information systems, critical infrastructure, and cyber-related interests which will not be assessed and explain why.

Assessed information systems, critical infrastructure, and cyber-related interests to be assessed

1. Physical facility security and access

2. Salesforce.com cloud based CRM system (AWS)

3. Network infrastructure

4. File systems

5. SAP ERP applications (AWS)

6. Oracle database servers (AWS) (On Premise)

7. PeopleSoft HR applications (AWS)

8. Mobile access to on premise and cloud based information systems

Information systems, critical infrastructure, and cyber-related interest which will not be assessed

1. ADP Payroll system: Will not be included in this security assessment: KPMG will audit the security of this system as part of their yearly payroll system audit

2. Accounting systems (General ledger, accounts payable, accounts receivable): KPMG will audit accounting system security as art of their yearly accounting system audits

system model

A diagram and descriptions of each asset included in the assessment scope.

Existing Countermeasures

Describe existing countermeasures already in place.

1. Outsourced denial of service monitoring and resolution to cloud based provider.

2. Installed intrusion detection systems, firewalls, and honeypots

3. Implemented physical facility access control through employee badge system

4. Timely software application updates

5. Password policy enforcement

Threat Agents and possible attacks

Define 12 to 15 threat agents and possible attacks.

A threat agent is a specific object, person, organization, government, or entity who poses a danger of carrying out a cyber security attack against anker organization.

Threat Agent

Attack Purpose

Possible Attack

Competitor

Industrial Espionage

Social Engineering to gain access to an organizations intellectual property, including customer lists and product innovations.

Hackers

Challenge of hacking into and gaining access to an organization’s systems

Deliberate software attacks: Viruses, worms, macros, denial-of-service

Internal Employee

Unintentional acts of human error or failure

Accidents, employee mistakes

Cyber Criminal - Extortion

Deliberate acts of information extortion

Man in the middle attack

Cyber Criminal - Sabotage

Deliberate acts of sabotage or vandalism

Password cracking, escalation of privilege, key file destruction

Cyber Criminal – Espionage

Deliberate acts of espionage or trespass

Network scanning for open, unsecure ports

Cyber Warfare

Deliberate acts of cyber warfare perpetrated by one or more countries on another country or countries

Denial of service to halt critical infrastructure such as the electric grid of a nation

Cyber Terrorism

Deliberate cyber-attacks to forward terrorist initiatives and agendas

Communicating terrorist messages, threats, or manipulation on social media and organizational websites. Use of malware to gain illegal access to an organization’s IT assets and use them to further cyber terrorism initiatives

Forces of nature

NA

Fire, flood earthquake

Technical hardware failures and errors

NA

Equipment failure

Technical software failures

NA

Software defects

Contractor

Deliberate acts of theft

Illegal confiscation of equipment or information

Exploitable Vulnerabilities

Identify 7 to 9 exploitable vulnerabilities.

1. Acts of human error or failure: inexperience and improper training

2. Lack of intrusion detection systems to control access to an organizations technical assets

3. Unprotected shares: vulnerabilities and configuration issues in an organizations file systems

4. Technology obsolescence: not updating software applications to current versions

5. Open and unprotected ports

6. Poorly written software code and applications: buffer overflow and SQL injection

7. Lack of physical security

8. Allowing unsecure mobile devices to connect to an organization’s IT infrastructure

9. Employees leaving their computer screens unlocked and unattended

10. Written passwords on sticky notes attacked to computer monitor, under keyboard, or in desk drawer

Threat History / Business Impact

Threat History Events

Duration

Business Impact

Threat Resolution

Denial of service attack

2 days

Reduced or illuminated customer access to organization’s customer facing websites and cloud based computing applications

Outsourced denial of service monitoring and resolution to cloud based provider.

Hacker scanning and access of organization’s devices and networks

Ongoing

Theft of intellectual property

Installed intrusion detection systems, firewalls, and honeypots

Phishing attacks

Ongoing

Employees creating individual and organizational risk by inappropriately accessing phishing emails

Employee cyber security training

Hardware failure

1 week

Order entry system did not work for one week

Created appropriate backup and recovery processes to protect against hardware failure

Physical theft of equipment

3 weeks

Company equipment and employee belongs were stolen during a 3 week period

Implemented physical facility access control through employee badge system

Risks and Contingencies Matrix

Risk

Probability

Priority

Owner

Countermeasures / Contingencies / Mitigation Approach

Network exploit

High

High

Director of network administration

Intrusion detection systems, firewalls, honey pots, outsource denial of service monitoring

Social engineering

Medium

High

CIO, CSO

Employee security training, physical facility access control systems, employee badging. Develop security policies and procedures.

Malware

Medium

Medium

CIO

Implement malware detection applications. Monitor and audit system usage.

Misuse of available resources and services

Low

Medium

CIO, CSO

Develop security policies, procedures, and appropriate use. Monitor and audit compliance to organization’s security policies, procedures, and appropriate use.

Data loss

Medium

High

Director of database administration

Create, monitor, and audit organization’s data backup and recovery processes and procedures.