Chat with us, powered by LiveChat Inventory and Control of Enterprise Assets - Essayabode

1. Background Information regarding the CIS Controls The Center for Internet Security (CIS) has published a best practice for security. It covers 18 controls that it has established as being fundamental for any security program to be effective. This is important because it prioritizes security functions that are most effective against the latest advanced targeted threats. Its emphasis on what works and aligns with common industry frameworks. See FAQs regarding the controls at https://www.cisecurity.org/controls/cis-controls-faq/ The list of controls are: 1. Inventory and Control of Enterprise Assets 2. Inventory and Control of Software Assets 3. Data Protection 4. Secure Configuration of Enterprise Assets and Software 5. Account Management 6. Access Control Management 7. Continuous Vulnerability Management 8. Audit Log Management 9. Email and Web Browser Protections 10. Malware Defenses 11. Data Recovery 12. Network Infrastructure Management 13. Network Monitoring and Defense 14. Security Awareness and Skills Training 15. Service Provider Management 16. Application Software Security 17. Incident Response Management 18. Penetration Testing 2. Requirement of the Final Paper Company hiring a New CISO Introduction A well-known company (you select the industry or the company that will help you design the plan) has suffered a breach and is concluding its return to normal operation after hiring a forensic firm. As a result of the intrusion, the CISO was terminated. The CEO and CFO are hiring you to be the new company CISO. They have asked you to create a 90-day plan for the company that will address the issues of the breach and will implement a comprehensive security program. The CEO and CFO want you to make a three (3) to five (5) minute presentation of your plan that will be at the quarterly company board meeting. You must be able to submit your security program to the board-of-directors before the meeting. At a minimum your security plan should cover recommendation regarding corrective measures and activities that will improve the company (you may make assumptions regarding the cause of the breach and the weaknesses of the organization, but, you must explain those assumptions: Create a 90 day plan (you may want to create a timeline) that includes the following components: a. Reference at least 3 CIS controls and the reason you need the control, how you would use the control and what the expected benefit will be to implement them and mitigate the weakness you identify (3 pages; one page per control maximum). b. Identify 3 Risks that might impact the company and your proposed mitigation plan (what are the 3 risks and what will happen to the company if they are not mitigated; remember they may not mitigated completely).(1 -2 pages maximum) c. Compose a Security Blueprint that contains at least 3 areas that you will be addressing. (any format you choose) d. Describe at least two security education or awareness actions you would implement and what they would contain. (1-2 pages) e. Two quotes from professor 2. Prepare a 5 minute presentation to be presented in addition to the written document. 1. Background of the Breach After discovering there was a breach through a notification from the FBI, the company engaged a well -known firm, Forensic and Recovery R-US (WKFR). The firm was engaged to identify the cause of the breach, remove all remnants of software left by the hackers. The firm was requested to deliver a comprehensive report to the CISO that covers the findings and some suggested actions that need to be taken. For the purposes of your 90-day plan, you can make assumptions regarding the findings, but must make a short statement that rationalizes your assumptions. The Disclosure Report One intruder had entered the internal network, pivoted throughout the company’s infrastructur e, and established several beachfronts. The beachfronts helped to make sure that the intruder maintained invisibility for over three months before discovery. The investigation found an unregistered copy of the firm’s data was created on an internal server. The data set was encrypted with an algorithm that was different than company encryption standard. The database contained all customer data. There is evidence that over a two-month period, the data was transmitted to an IP address located in Transylvania at the home of Dr. Franken Stein. A second intruder was found and is well know in the industry. This intruder is in Eastern Europe and was discovered and had been copying business data for over six months and selling that information on the dark web. The forensic report from WKFR exposed many deficiencies in the security practice at the company. The company was compliant with many regulations and industry standards, but their security practices did fall short of a comprehensive security program, and it was not apparent that there was a sound, in-depth security function. The forensic report attributes the breach to two failures: • • a known software vulnerability that should have been patched as part of the regular security patching cycle, and an administrator ID that should have had better protection because it was compromised. These two failures were the cause of the massive breach of data resulting in the loss of 250 million personal records, two planned acquisitions and blueprints for a new self-driving, advanced power vehicle. Contributing Factors On a weekly basis, the Security Operation Center (SOC) runs a vulnerability report using Tenable. This software reports on the patching and software level of all servers and software products installed. It was found that a critical software product was not reporting its status because its condition was programmatically suppressed in Tenable. The after-action report shows alerts were suppressed because the server and software were not considere d to be an essential part of the infrastructure by the computer operation (in actuality, this server should have been classified as critical). Much is still unknown. But it came down to a flaw in a tool designed to build web applications; the company announced in its press release. The company admitted it was aware of the security flaw a full six months before the hackers gained access to its data. But they did not realize that this critical server was not being evaluated correctly. Some of the information hackers had access to included names, Social Security numbers, birth dates, addresses and driver’s license numbers for their primary business. The primary business is to perform background check for companies seeking to hire new employees. The stolen data also acquisition plans, development plans and financial plans of their R&D subsidiary. The flawed software is called Apache Struts, and many large businesses and government organizations use it. The company used it to support its online customer portal. The flaw allowed hackers to take control of a website. A cybersecurity arm of the U.S. Department of Homeland Security, US-CERT, “identified and disclosed” the Apache Struts flaw over eight months earlier, and the company’s security department “was aware of this vulnerability at that time, and took efforts to identify and to patch any vulnerable systems.” According to the company, hackers exploited the flaw months later on the server that did not report to the vulnerability assessment tool wh en scanned. The company reported that it discovered the data breach and waited until it “observed additional suspicious activity” and finally took the affected web application offline. With help from WKFR, the company was able to determine a series of breaches had occurred during the three-month period, the company said. Applying patches at corporations with large infrastructures does take time. They must first identify the vulnerability, then implement and test the patch to make sure it doesn’t break anything before applying it in production environments. However, security experts say the company should have moved faster, and “When you’re a big organization like that, it’s a systemic failure of process, and the blame goes straight to the top.” Also, the company was widely criticized for waiting more than a month before altering its customers and shareholder about the hack. Organization Chart