StudyDaddy Information Systems Graduate Level Writing!!! Project 3 - Cybersecurity Only!!!

Graduate Level Writing!!! Project 3 - Cybersecurity Only!!!

Running head: Risk Assessment Repot (RAR) 0









Risk Assessment Report (RAR)

CYB 610: Cyberspace and Cybersecurity Foundations

Me

University of Maryland University College












Purpose

The purpose of this risk assessment is to evaluate the adequacy of the Amazon Corporation's security. This risk assessment report provides a structured but qualitative assessment of the operational environment for Amazon corporations. It addresses issues of sensitivity, threats analysis, vulnerabilities analysis, risks analysis and safeguards applied in Amazon Corporation. The report and the assessment recommends use of cost-effective safeguards in order to mitigate threats as well as the associated exploitable vulnerabilities in Amazon Corporation.

The Organization

The Amazon Corporation's system environment is run as a distributed client and server environment consisting of a Microsoft Structured Query Language (SQL) database built with Powerful programming code. The Amazon Corporation contains SQL data files, Python application code, and executable Java and Java scripts. The SQL production data files, documented as consisting of SQL stored procedures and SQL tables, reside on a Cloud storage area network attached to a HP server running on Windows XP and MS SQL 2000 operating systems. The Python application code resides on a different IBM server running on KALI LINUX (NIST, 2014).

The Amazon Corporation's executables reside on a fileserver running Windows 2000 and KALI LINUX or occasionally a local workstation is installed depending upon the loads and jobs Requirements. Their desktop computers are physically connected to a Wide Area Network (WAN). Some users revealed that they usually connect via secured dial-up and DSL connections using a powerful Citrix server. Normally, a user should connect to an active application server in their city that hosts the Amazon Corporation's application and to the shared database server located in Atlanta (NIST, 2014).

Scope

The scope of this risk assessment is to assess the system's use of resources and controls implemented and to report on plans set to eliminate and manage vulnerabilities exploitable by threats identified in this report whether internal and external to Amazon. If not eliminated but exploited, these vulnerabilities could possibly result in:

  • Unauthorized disclosure of data as well as unauthorized modification to the system, its data, or both and denial of service, denial of access to data, or both to authorized users.

This Risk Assessment Report project for Amazon Corporation evaluates the confidentiality which means protection from unauthorized disclosure of system and data information, integrity which means protection from improper modification of information, and availability which means loss of system access of the system.

Intrusion detection tools used in the methodology are MBSA security analyzer in Cyber 610 Lab, OpenVAS security analyzer in Cyber 610 Lab, and Wireshark security analyzer. In conducting the analysis the screenshots taken using each of the tools has been looked at with a view to arriving at relevant conclusions. Recommended security safeguards are meant to allow management to make proper decisions about security-related initiatives in Amazon.

Methodology

This risk assessment methodology for and approach Amazon Corporation was conducted using the guidelines in NIST SP 800-37, Risk Management Guide for Information Technology Systems and OPM OIG Final Audit Report findings and recommendations (NIST, 2012). The assessment is very broad in its scope and evaluates Amazon Corporation's security vulnerabilities affecting confidentiality, integrity, and availability. The assessment also recommends a handful of appropriate security safeguards, allowing the management to make knowledge-based decisions on security-related initiative in Amazon Corporation.

This initial risk assessment report provides an independent review to help management at Amazon to determine what's the appropriate level of security required to support the development of a stringent system security plan. The accompanying review also provides the information required by the Chief Information Security Officer (CISO) and Designated Approving Authority (DAA) also known as the Authorizing Official (AO) to assist in to making informed decision about authorizing the system to operate (NIST, 2014). Intrusion detection tools are used in the methodology and includes the MBSA security analyzer, the OpenVAS security analyzer, and Wireshark security analyzer.

Data

The data collected using the MBSA and other tools reveals that the following internal routines were done by MBSA and other tools in the Labs 2 and 3 given together with the question. The MBSA security analyzer, the OpenVAS security analyzer converted the raw scan data and particularly succeeded in outputting the following vulnerabilities into risks based on the following methodology in Cyber 610 lab.

The MBSA security analyzer and the OpenVAS security also had routines which communicated with green bone security assessment center especially to provide the automated recommendation as evident in the Labs 2 and 3. The green bone security assessment center particularly succeeded in doing the following as evident in output file. Management has the option of doing the following in the corporation:

  • Accepting the risks and chosen recommended controls or negotiating an alternative mitigation, while reserving the right to override the green bone security assessment center and incorporate the proposed recommended control into the Amazons Plan of Action and Milestones.

Results

The following operational as well as managerial vulnerabilities were identified in Amazon while using the project methodology: inadequate adherence and advocacy for existing security controls. Inadequate adherence to management of changes to the information systems infrastructure. Weak authentication protocols; inadequate adherence for life-cycle management of the information systems; inadequate adherence and advocacy for configuration management and change management plan; inadequate adherence for and advocacy for implementing a robust inventory of systems, for servers, for databases, and for network devices; inadequate adherence to and advocacy for mature vulnerability scanning tools.

The following attacks were identified in Amazon while using the above project methodology. IP address spoofing/cache poisoning attacks; denial of service attacks (DoS) packet analysis/sniffing; session hijacking attacks and distributed denial of service attacks

NIST SP 800-63 describes the classification of potential harm and impact as follow as well as OPM OIG Final Audit Report findings and recommendations (NIST, 2006):

  • Inconvenience, distress, or damage to standing or reputation; financial loss or agency liability and harm to agency programs or public interests;

Potential impact of inconvenience, distress, or damage to standing or reputation:

  • Low - limited, short-term inconvenience, consisting of distress or embarrassment to any party within Amazon.

  • Moderate - serious short term or limited long-term inconvenience, consisting distress or damage to the standing or reputation of any party within Amazon.

  • High - severe or serious long-term inconvenience, consisting of distress or damage to the standing or reputation of any party within Amazon.

Potential impact of financial loss:

  • Low - insignificant or inconsequential unrecoverable financial loss to any party consisting of an insignificant or inconsequential agency liability within Amazon.

  • Moderate - a serious unrecoverable financial loss to any party, consisting of a serious agency liability within Amazon.

  • High - severe or catastrophic unrecoverable financial loss to any party; consisting of catastrophic agency liability within Amazon.

Potential impact of harm to agency programs or public interests

  • Low - a limited adverse effect on organizational operations or assets, or public interests within Amazon.

  • Moderate - a serious adverse effect on organizational operations or assets, or public interests within Amazon.

  • High - a severe or catastrophic adverse effect on organizational operations or assets, or public interests within Amazon.

Conclusion and Recommendation

In the risk assessment, two issues came out that were striking and which are resolved below. An employee was terminated and his user ID was not removed from the system. This is dependency failure kind of vulnerability and risk pair and has an overall risk that is moderate.

The recommended safeguard is to remove userID from the system upon notification of termination. Secondly, a VPN/Keyfob access does not meet certification and accreditation level stipulated in NIST SP 800-63. This is a kind of vulnerability that touches on inconvenience, standing and reputation and has an overall risk that is moderate. Also, to migrate all remote authentication roles to CDC or any other approved authority.

This risk assessment report for the organization identifies risks of the operations especially in those domains which fails to meet the minimum requirements and for which appropriate countermeasures have yet to be implemented.  The RAR also determines the probability of occurrence and issues countermeasures aimed at mitigating the identified risks in an endeavor to provide an appropriate level-of-protection and to satisfy all the minimum requirements imposed on the organization's policy document (NIST, 2010).

The system security policy requirements are satisfied now with the exception of those specific areas identified in this report.  The countermeasure recommended in this report adds to the additional security controls needed to meet policies and to effectively manage the security risk to the organization and its operating environment.  Finally, the Certification Official (CO) and the AO's must determine whether the totality of the protection mechanisms approximate a sufficient level of security, are adequate for the protection of this system and its resources and information. 






References

1. Bradley, T. (October 17, 2016). Critical Vulnerability in Apple Mac OS. Retrieved from

https://www.lifewire.com/critical-vulnerability-in-apple-mac-os-x-2487643

2. National Institute of Standards and Technology (NIST). (2010). Guide for applying the risk

management framework to federal information systems. NIST Special Publication 800-37 Revision 1. Retrieved from http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf

3. National Institute of Standards and Technology (NIST). (2012). Guide for Conducting Risk

Assessments. NIST Special Publication 800-30 Revision 1. Retrieved from

http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf

4. National Institute of Standards and Technology (NIST). (2014). Assessing security and

privacy controls in federal information systems and organizations. NIST Special Publication 800-53A Revision 4. Retrieved from http://nvlpubs.nist.gov/nistpubs/ SpecialPublications/NIST.SP.800-53Ar4.pdf

5. National Institute of Standards and Technology (NIST). (2006). Electronic Authentication

Guideline. NIST Special Publication 800-63 Revision 1.0.2. Retrieved from http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-63ver1.0.2.pdf

6. Rouse, M. (2017). Definition: buffer overflow. Retrieved from

http://searchsecurity.

techtarget.com/definition/buffer-overflow



Have a similar question?

Continue to edit or attach image(s).

  • Fast and convenient

    Fast and convenient

    Simply post your question and get it answered by professional tutor within 30 minutes. It's as simple as that!

  • Any topic, any difficulty

    Any topic, any difficulty

    We've got thousands of tutors in different areas of study who are willing to help you with any kind of academic assignment, be it a math homework or an article.

  • 100% Satisfied Students

    100% Satisfied Students

    Join 3,4 million+ members who are already getting homework help from StudyDaddy!