Project 2: Risk Assessment Start Here Organizations must stay up-to-date on their vulnerabilities and protection measures. Once vulnerabilities have been evaluated, the organization uses this informat
FINAL VULNERABILITY AND THREAT ASSESSMENT REPORT
Maria and Top Executives Vulnerability and Threats Assessment Report
Table of Contents
Overview 1
Mission-critical aspects of current organizational 2
Personnel 2
Physical security 2
Network security 2
Cybersecurity in the overview 3
Scope of Work 3
Work Breakdown Structure 5
Internal threats 6
External threats 6
Existing security measure 6
Compliance requirements 6
Threats and Vulnerabilities Report 7
Explanation of threats and vulnerabilities 7
Classifications of threats and vulnerabilities 12
Prioritization of threats and vulnerabilities 13
Lessons learned report 14
Network Analysis Tools Report (Appendix A) 15
Vulnerability Assessment Matrix (Appendix B) 17
References 20
Overview
This is a threat and vulnerability assessment document that will be presented to the executive-level stakeholders. It contains the mission-critical aspects of the current organization, the scope of work, work breakdown structure, threats, and vulnerabilities report, lessons learned, network tool analysis, and lastly, vulnerability assessment matrix.
Mission-critical aspects of current organizational PersonnelThe company is a Small Medium Enterprise (SME) with sixty-one employees. The company has got thirty employees in the Information Technology department, five employees in each of the following departments, marketing, operations, finance, sales, Human Resources, and
Physical securityThe employees use a badge to access doors within the company. A visitor needs to be accompanied by authorized personnel. The company has a data center that is accessed using a two-way multi-factor authentication by authorized personnel (System Administrator, Network Administrator, and Database Administrator). Visitors who want to access the data center must sign a logbook before accessing the facility.
The data center and the office premises have CCTV installed that can retain video for forty-five days.
Network securityThe company has a firewall that checks incoming and outgoing traffic. The network has an Intrusion Detection System / Intrusion Prevention System (IDS/ IPS) that detects and prevents network intrusion. Users can only access the company's network by logging in using a user's account. The user account is logged off after fifteen minutes of idleness. Logging onto the company's network is subject to password policies. The password policies require that a password be more than eight characters and contain letters, numbers, and special symbols. The password should expire after sixty days. Password recently used should not be accepted by the system.
Cybersecurity in the overviewThe company does store and process credit card information online. The company, therefore, complies with Payment Card Industry Data Security Standard (PCI DSS) compliance.
The company implements NIST 800-53 security controls such as access control, audit, and accountability, awareness and training, configuration management, incident response, etc.
According to Lord (2018), NIST 800-53 is a "set of standards and guidelines to help federal agencies and contractors meet the requirements set by the Federal Information Security Management Act (FISMA)." back-end developers, two Java programmers, five android programmers, one system administrator, one network administrator, one database administrator, one technician, one IT manager, one CISO, one cryptographer, one Information Security Analyst, and one project manager.
Scope of WorkCurrently, the company has security measures such as physical security, network security, and system and application security. The company also stores and processes clients' credit card information; therefore, it must conform to Payment Card Industry Data Security Standard (PCI DSS) compliance. The vulnerability assessment is to check whether the security measures in place are working as expected, or the information system is susceptible to cyber-attacks and whether the company complies with PCI DSS compliance.
Goals of the agreement
We will perform vulnerability assessments on the network, physical security, and web application. This will entail penetration testing. According to Porup (2020), penetration testing is "a simulated cyber-attack where professional, ethical hackers break into corporate networks to find weaknesses before attackers do."
What we will be testing are:
Is the firewall secure and updated?
Are the firewall, router, switches, and other network devices adequately configured?
Is the network segmented to facilitate security?
Is the software system updated to the latest security patches?
Are all unused ports on the network closed?
Does the network allow the use of discovery protocol?
Are the offices secured, and how can you access them?
Does the company comply with PCI DSS compliance?
How secured is the data center?
Is the web application behind a web app firewall?
Can the web application allow cross-site scripting?
Can the database allow SQL injection?
Does the company use endpoint security solutions such as antivirus, antimalware software, etc.?
How well are employees trained regarding cybersecurity?
Deliverables
After the vulnerability assessment, what will be delivered is a report on the findings and recommendations on how to improve the company's security, e.g., physical, information system security, etc.
Timeline
The vulnerability assessment will take one month to complete.
Work Breakdown StructureWe have attached the spreadsheet with internal and external threats, existing security measures, and compliance requirements.
Internal threatsThe following are internal threats: fire, theft and burglary, vandalism, opened ports, unpatched software, and granting of excess privileges.
Threat and burglary and vandalism can be categorized as an internal threat or external threat.
External threatsThe following are external threats: terrorism, natural disasters, man-in-the-middle attack, Distributed Denial of Service (DDoS), malware, spyware, ransomware, phishing, rootkit, botnet, and SQL injection.
Existing security measureCurrently, the organization has a firewall that checks incoming and outgoing traffic. The network also has an Intrusion Detection / Intrusion Prevention System and antivirus software. The web is accessed using user Id. Password needs to be more than eight characters, and the characters are numbers, letters, and special symbols.
Compliance requirementsThe company complies with PCI DSS compliance since it performs transactions online.
Threats and Vulnerabilities Report Explanation of threats and vulnerabilitiesPhysical security
In the physical security, we had identified theft and burglary, terrorism, natural disasters, vandalism, and internal threats such as fire, etc.
Theft and burglary
According to Reed (2017), theft is taking someone's property without their permission. An employee or a visitor can enter the organization's premises and steal laptops etc. Burglary on the other hand is entering into someone's property without his/her permission with the intent of committing a crime (Reed, 2017).
Terrorism
FBI defines terrorism as "violent, criminal acts committed by individuals and/or groups who are inspired by, or associated with, designated foreign terrorist organizations or nations." Terrorism can be bombing the organization's premises, cutting power supply using EMP attack, etc.
Natural disasters
Natural disasters are natural occurrences such as earthquakes, tornadoes, avalanches, lightning, etc.
The organization premise can be affected by earthquakes etc.
Vandalism
Reed (2017) defines vandalism as "any activity that involves the deliberate destruction, damage, or defacement of public or private property."
An unsatisfied employee can vandalize the company's property, e.g., network cables, etc.
Internal threats
Internal threat and vulnerability assessment found that users stored passwords on their desktops. Common ways for an attacker to exploit and gain access to a network is through trusting employees
There are several internal threats such as humidity in the data center, unstable power supply, fire, etc. Once inside the system, the intruder can access privileged information, insert malicious software or erase the entire database causing great harm to the company
Network security
In the network security, we had identified malware and viruses, spyware, ransomware attacks, phishing, denial of services (DoS) and Distributed Denial of Services (DDoS), rootkit, man-in-the-middle attack, opened ports, and botnets.
Malware and viruses
According to Fruhlinger (2019), malware is malicious software, and it incorporates all malicious programs such as viruses, Trojans, worms, etc.
Fruhlinger (2019) defines a virus as a "piece of computer code that inserts itself within the code of another standalone program, then forces that program to take malicious action and spread itself."
Spyware
Fruhlinger (2019) gives defines spyware as the same provided by Webroot Cybersecurity as "malware used to gather data on an unsuspecting user secretly." Spyware can spy on you by using a keylogger that gathers data about keystrokes that you type and also steal passwords.
Ransomware attacks
Fruhlinger (2019) defines ransomware as malware that encrypts your data, and the attacker demands payment to decrypt the data.
Phishing
According to Vos (2020), phishing is where an attacker collects personal information from an unsuspecting user through an email link or a website that appears to originate from a legitimate organization.
DoS / DDoS
According to Vos (2020), a DDoS is when the network is overwhelmed with traffic making it hard for users to access crucial applications.
Rootkit
Vos (2020) defines rootkit as "computer software that is designed to give the attackers unauthorized remote access to your computers and network."
Man-in-the-middle attack
Vos (2020) defines a man-in-middle attack as an attack where an attacker intercepts communication on the network and can alter the communication.
Opened ports
Opened ports are ports that are not in use, and an attacker can use them to inject malware into your system.
Botnet
According to Wright, Lutkevich, and Hanna (2021), a botnet is a "collection of internet-connected devices, which may include personal computers, servers, mobile devices and Internet of Things (IoT) devices that are infected and controlled by a common type of malware, often unbeknownst to their owner."
The controlled computers are known as zombies, and an attacker gives them commands.
System and application security
In the system and application security, we have the following threats and vulnerabilities: viruses, SQL injection, unpatched security vulnerabilities, and granting of excess privileges.
SQL injection
SQL injection is when a user injects SQL queries using a web interface that will maliciously manipulate the data, e.g., deleting a table, etc.
Unpatched security vulnerabilities
We need to update applications with the latest security patches to curb security issues that were in previous versions.
Granting of excess privileges
Giving users of the database excess privileges is a mistake. Users need to be granted the most negligible benefits and rights increased with roles.
Threat modeling process
According to Fruhlinger (2020), a threat modeling process is a "structured process through which IT pros can identify potential security threats and vulnerabilities, quantify the seriousness of each, and prioritize techniques to mitigate attacks and protect IT resources." There are several threat modeling processes: STRIDE, PASTA, DREAD, NIST, Trike, OCTAVE, and VAST (Fruhlinger, 2020).
We will use the STRIDE threat model. STRIDE stands for Spoofing, Identity, Tampering with data, Repudiation threats, Information disclosure, Denial of Service, and Elevation of privileges (Donovan, 2021). Donovan (2021) states that STRIDE can be used to spot threats when designing an app or a system. STRIDE aims to ensure the Confidential, Integrity, and Availability (CIA) of a system (Donovan, 2021).
Third-party outsourcing issues
Currently, the company is using its local servers for data storage, but it intends to outsource several services such as data storage, internet-based applications, etc., due to growth. Outsourcing brings about several issues such as information security and data privacy, business continuity, etc., while outsourcing we will ensure that the service provider can recover from disasters and that they comply with regulations and standards such as HIPAA, PCI DSS, Cloud Security Alliance (CSA), among others.
Classifications of threats and vulnerabilitiesThreat
According to Muscat (2019), threats refer to "cybersecurity circumstances or events with the potential to cause harm by way of their outcome."
Vulnerability
Muscat (2019) defines vulnerability as "weaknesses in a system."
The following table classifies the threats and vulnerabilities
Threats | Vulnerabilities |
Theft and burglary | Opened ports |
terrorism | Unpatched software |
Natural disaster | |
vandalism | |
Internal threats, e.g., fire, etc. | |
Man-in-middle | |
Distributed Denial of Service | |
Malware | |
spyware | |
Ransomware | |
Phishing | |
Rootkit | |
Botnet | |
SQL injection | |
Granting of excess privileges |
The classification of threats and vulnerabilities is vital because threats can cause damage to our system and organization's reputation, whereas vulnerabilities point out what needs to be done to prevent hazards.
Prioritization of threats and vulnerabilitiesInternal threats
The following are internal threats: fire, theft and burglary, vandalism, opened ports, unpatched software, and granting of excess privileges.
Threat and burglary and vandalism can be categorized as an internal threat or external threat.
External threats
The following are external threats: terrorism, natural disasters, man-in-the-middle attack, Distributed Denial of Service (DDoS), malware. Spyware, ransomware, phishing, rootkit, botnet, and SQL injection.
Lessons learned reportRecord findings
We found that a lot of software is not up-to-date, e.g., Android Studio for developing android programs and IntelliJ IDEA for developing Java programs.
We also found that specific ports were opened.
We found that our database needs to be optimized further since it has a slow response time.
Nontechnical factors to be considered
It is essential to include all stakeholders in a vulnerability assessment since the security of the network, applications, etc., is a company effort, not a department effort.
The point at which the assessment is complete
The vulnerability assessment is complete when we create a remediation process and mitigation plan (Stankovic, 2021). Truth be told, vulnerability assessment is a continuous process, and the company needs to perform vulnerability assessment from time to time.
Next steps
The next step will be to interpret the scan results. The tools used will prioritize vulnerabilities, but specific vulnerabilities will have higher precedence. For example, network vulnerability should have a high priority compared to an application vulnerability.
After interpreting the results, we will come up with a remediation process and mitigation plan.
Network Analysis Tools Report (Appendix A)The following are the tools that we will use.
Netsparker
According to Mangat (2020), Netsparker is a tool used to find vulnerabilities in a web application. The difference between netsparker and other web application tools such as Nikto2 is that Netsparker offers ways of remediating the vulnerabilities found.
OpenVAS
According to Mangat (2020), OpenVAS is a "vulnerability scanning tool that supports large-scale scans which are suitable for organizations." Mangat (2020) says that OpenVAS is used to scan Operating Systems, web servers, web applications, networks, databases, and virtual machines. OpenVAS gives countermeasures that can be implemented to correct the vulnerabilities identified.
NMAP
Mangat (2020) indicates that NMAP is an open-source networking scanning tool. We will use NMAP to scan for hosts in our network and Operating System discovery. Any intruder can be detected with ease.
Kali Linux
We also recommend Kali Linux for penetration testing. According to Dobran (2019), Kali Linux offers a "security auditing operating system and toolkit with more than 300 techniques to ensure your site and Linux servers stay safe from attack". Kali Linux will show vulnerabilities in all areas, e.g., weak passwords, opened ports, new hosts in a network, etc.
SolarWinds
We will use SolarWinds to monitor our database since monitoring of the database can show available vulnerabilities such as misconfigured disks etc.
Vulnerability Assessment Matrix (Appendix B) Threat or Vulnerability | Classification | Priority | Analysis Tool Used | Remediation Plan |
Theft and burglary | Low | Ensuring offices are locked when not in use. Ensuring offices are accessed using an access card at all times Revoking access card privileges to terminated employees | ||
Terrorism | Medium | Ensuring the network is secure and all devices are well configured is a start. Ensuring that employees only access sites that are beneficial to the organization | ||
Natural disasters | Medium | Smoke detectors for fire Early detection alert tools for earthquakes etc. | To have a proper disaster recovery plan in place where we can bounce back fast after a disaster. | |
vandalism | Low | Employ security guards to guard the premises day and night. Ensuring the premises is locked, and offices are accessed by authorized personnel using door card badges | ||
Malware and Viruses | High | Endpoint solution, e.g., antivirus, antispyware, etc. | Allow automatic scanning of personal computers and devices from time to time. Ensure endpoint solutions are up to date in terms of security patches. | |
Spyware | High | antispyware | Having antispyware in your system. Ensuring the antispyware is up to date when it comes to security patches. | |
Ransomware | High | Segment your network Have an incident response plan in place Use antivirus and anti-spam solutions Ensure systems are patched | ||
phishing | High | BrandShield anti-phishing | Train employees about phishing and the damages done by phishing. Use a Spam filter technology Update systems to the latest security patches. Use web filter to block malicious websites | |
DoS / DDoS | High | OpenVAS | Use anti-DDoS technology Ensure your network is secure Have an incident response plan in place. | |
Rootkit | High | OpenVAS | Ensure your system is patched to the latest security patches. Use antivirus. Perform automatic scans from time to time. | |
Man-in-the-middle attack | High | NMAP | Monitor your network frequently. Ensure your network is secure and devices are well configured. | |
Opened ports | High | Kali Linux | Close all non-used ports. Close all network discovery protocols. | |
Botnet | High | OpenVAS | Blacklist all IPs that originate from suspicious websites Perform packet filtering using a firewall. | |
SQL injection | High | SolarWinds | Ensure data is sanitized and validated before being sent to the database | |
Unpatched software | High | SUMo | Ensure software is up to date. |
Dobran, B. (2019, July 3). 35 network security tools you should be using, according to experts.
Phoenixnap. https://phoenixnap.com/blog/best-network-security-tools
Donovan, F. (2021, January 11). What is STRIDE and how does it anticipate cyberattacks?
Security Intelligence. https://securityintelligence.com/articles/what-is-stride-threat-modeling-anticipate-cyberattacks/
FBI. (2021). Terrorism. https://www.fbi.gov/investigate/terrorism
Frughlinger, J. (2019, May 17). Malware explained: how to prevent, detect and recover from it.
CSO Online. https://www.csoonline.com/article/3295877/what-is-malware-viruses-worms-trojans-and-beyond.html
Goldman, J. (2019). How to conduct a vulnerability assessment: 5 steps toward better cybersecurity.
EsecurityPlanet. https://www.esecurityplanet.com/networks/how-to-conduct-a-vulnerability-assessment-steps-toward-better-cybersecurity/
Lord, N. (2018). What is NIST SP 800-53? Definition and tips for NIST SP 800-53 compliance.
DigitalGurdian. https://digitalguardian.com/blog/what-nist-sp-800-53-definition-and-tips-nist-sp-800-53-compliance
Mangat, M, (2020, March 23). 17 best vulnerability assessment scanning tools. Phoenixnap.
https://phoenixnap.com/blog/vulnerability-assessment-scanning-tools
Mixon, E. (2020). Android OS. Search mobile computing.
https://searchmobilecomputing.techtarget.com/definition/Android-OS
Muscat, I. (2019). Cyber threats, vulnerabilities, and risks. Acunetix.
https://www.acunetix.com/blog/articles/cyber-threats-vulnerabilities-risks/
Porup, J. (2020). 11 penetration testing tools the pros use. Cso Online.
https://www.csoonline.com/article/2943524/11-penetration-testing-tools-the-pros-use.html
Reed, H. (2017, October 23). 5 most common types of physical security threats. United Lock Smith
https://unitedlocksmith.net/blog/5-most-common-types-of-physical-security-threats
Stankovic, S. (2021). How to perform a successful network security vulnerability assessment.
Purplesec. https://purplesec.us/perform-successful-network-vulnerability-assessment/
Vos, C. (2020). Top 12 network security threats and vulnerabilities. Resolutes.
https://www.resolutets.com/network-security-threats-and-vulnerabilities/
Watts, S. (2017). What is threat remediation? Threat remediation explained. Bmc.
https://www.bmc.com/blogs/what-is-threat-remediation-threat-remediation-explained/
Wright, R., Lutkevich, B., & Hanna, K. (2021). Botnet. Tech target.
https://searchsecurity.techtarget.com/definition/botnet