Fluent Essays

see attachment Running Head: Overview and Final Vulnerability and Threat Assessment Report Overview and Final Vulnerability and Threat Assessment Report for Reed Inc Urie L. Reed University of Maryland Global Campus CMP 630 Table of Contents Reed Inc 2 Scope of Work 3 Reed Inc Vulnerability Assessment Work Breakdown Structure 4 Reed Inc’s Vulnerabilities and Threats for Assessment 7 Vulnerability Assessment Methodology 7 Lessons Learned during the Assessment Process 10 Findings and recommendations 12 References 13 Appendix A: Network Analysis Tools 14 Appendix B: The Matrix for Reed Inc’s Vulnerability Assessment 15 Vulnerability and Threat Assessment Report for Reed Inc Reed Inc Today, due to the advanced technology, organizations face a number of attacks from organized and skilled hackers which causes losses. This is only possible when they exploit the existing vulnerabilities in Reed Inc and this might be due to the carelessness of personnel, weak physical security measures, not having a properly secured perimeter network and failing to educate employees of my company on cyber-security (Scholz, 2017). Personnel education is very important as it helps to reduce chances of getting attacked by hackers in such ways as; they might share sensitive organizational information with unauthorized persons who might have tricked them into sharing them through social engineering, unknowingly click on malicious links which might infect the systems of the organization and many other ways they may get careless. Furthermore, having strong physical security measures is very important for an organization. A strong physical security measure like for the one in Reed Inc ensures that unauthorized persons are not able to have physical access to the network and other system devices of the company. If these unauthorized persons get access to this devices, they might insert other malicious media into the system which can be used later to control them. These hackers might also use that opportunity to get access to organization’s sensitive information which could be used against them (Scholz, 2017). Network security is also very essential to any organization including Reed Inc in this modern days. A network in the organization is the root of all communications that goes on either within it or with the outside world. Therefore, in case attackers get unauthorized access to Reed Inc’s network, they might cut off the communication, listen to whatever is being exchanged within the organization or even with the outside world and use it against them especially by sharing what they find out with their competitors and this have a catastrophic impact to the company (Ali & Awad, 2018). Hence, in order for the company to prevent such attacks they must lay down very strong measures to protect their network and this includes; properly configuring the firewalls, routers, other network devices and most importantly they should use the most secure channels to communicate. Additionally, in the cyber space so many threats and vulnerabilities exist and hackers take advantage of this to exploit individuals and organization. These threats and vulnerabilities might originate from within or outside the organization. Information technology specialists should look for ways to scan for and eliminate these threats and vulnerabilities before they can be used against the company. Various network scanning tools were used to carry out this assessment. (Camacho et al, 2020). Scope of Work The elements within Reed Inc that will be used in the assessment include information technology environments and networks within Reed Inc. The assessment also outlines the importance of having strong physical and network security measures and generally educating employees on cyber-security (Ali & Awad, 2018). Employees must be aware that they should be very careful with the information that they share with other people especially those outside the organization. In addition, some of the elements to be assessed are the policies and the physical infrastructure of Reed Inc. The information technology environments comprises of the following components that will be used in assessment: · Network devices such as routers, switches, firewalls and other essential devices within this environment. · IT personnel · Computers · Reed Inc computer applications Reed Inc network comprises of all networking devices mentioned above including other infrastructures such as the cloud facilities and its elements. Physical infrastructure of Reed Inc comprises of all the tangible items in the company such as buildings, doors protecting these computer and network devices. All these physical infrastructure elements will be used in the vulnerability assessment. The policies of Reed Inc involves the outlined guidelines that govern the operations of the company and gives out the procedure of conducting certain activities. Reed Inc Vulnerability Assessment Work Breakdown Structure This is a deliverable oriented structure that highlights the work of the team in a hierarchical manner. Activities have been grouped in a manageable way, very detailed and most of the effort is put on the outcomes rather than the actions. Deliverables include data, product and services that can be broken down into components such as parts of the product, functionalities of a service and so on. The Work Breakdown Structure included the following elements which can be tested and later analyzed; A. During the Pre-assessment Comment by Hank Williams: Please be consistent with your lists. You have a mix of bullets, roman numerals, integers and letters and you are not consistent within each level. The following activities were carried out during the pre-assessment phase; · Collection of information from persons involved · Keeping a record of the assets of Reed Inc · Identification of specialists to help in the assessment · Outlining the procedures to be used in the vulnerability assessment. In addition, this phase involved collection of information on assets and other requirements as follows; 1) Hardware; Server, desktops and mobile 2) Network · Routers · Data; data of the organization, data of users, system data, information classification and defining information classification policy · Assets inventory; defining categories of assets, defining owners of assets and their responsibilities and classification of assets · Segregation of the Network; defining the traffic rules of the network and defining the network perimeters was also done in this phase · Cabling Security · Remote access · Wireless communication setup 3) Software · Application · Operating System 4) Threat identification · Defined internal threats; Personnel threats, policies and procedures · Defined external threats; systems threats, connectivity threats and databases threats 5) Identified existing security measures; hardware security measures, software security measures, telecommunications security measures and cloud resources security measures 6) Defined compliance requirements; define legal aspects B. During the Assessment Comment by Hank Williams: This also needs to be a numbered list to show the different steps. You should also write in 3rd person, not first person as this is a formal report. In this phase, a series of activities are used in order to successfully carry out the vulnerability assessment of Reed Inc. In this assessment, a vulnerability assessment was also conducted on all the assets. In addition, the results of every step taken during the vulnerability assessment activity were also recorded. Furthermore, various network analysis tools were also used to analyze Reed Inc’s network activities and the results were recorded. The risks and also the impact of every threat and vulnerability on Reed Inc assets were also realized. C. During the Post-assessment Comment by Hank Williams: This also needs to be a numbered list to show the different steps. You should also write in 3rd person, not first person as this is a formal report. The results of the assessment were documented and the right procedure was also used in achieving these results. A matric was constructed to show the results of the analysis. Reed Inc should implement system logging which helps to keep a record of the events of the operating system hence showing errors, informational and any warning events that relates to the operating system of the computers (Seltzer et al, 1995). This therefore enables administrators to easily troubleshoot the system to identify the cause of problems and conducting penetration testing more frequently helps a lot. Reed Inc’s Vulnerabilities and Threats for Assessment Network scanning is one of the main methods of finding out the existing threats and vulnerabilities on the perimeter network. The scanning produces results that are commonly known by their Common Vulnerabilities and Exposures (CVE) designations and the system catalogues and manages those that are publicly known and rated by Common Vulnerability Scoring System (CVSS) (Christey & Martin, 2007). Various approaches for threats and vulnerabilities prioritization exist. The following approach was used to prioritize threats and vulnerabilities on the resources of the company: Vulnerability Assessment Methodology 1. Involve the stakeholders of the organization in the process This process if often left to the information technology specialists only but in this assessment it also involved the stakeholders of the Reed Inc and those with the skills that these specialists don’t have and this also includes those in the senior management position in the company. (Schaad & Binder, 2020). 2. Identify threats and vulnerabilities in the organization This step involves identification of security threats and vulnerabilities, determining their categories, scenarios and the events they have been involved in. In this assessment, threats were categorized as follows (Onwubiko & Lenaghan, 2007); i. Internal threats which includes; · Personnel threats; employee sabotage, data theft, unauthorized access, accidental data disclosure or loss and weak security measures · Policies; explains guidelines that govern employees, partners, members of the board and even a consultant, this includes; email encryption rules, rules on social media usage, password guidelines and steps for remote access. · Procedures: procedures should be updated regularly and reviewed at least annually. ii. External threats; · Database threats; database injection attacks, vulnerable database exploitation, malicious software, excess privileges, abuse of the legitimate privileges and others · Connectivity threats; viruses, Trojan horse, adware, man-in-the-middles attacks and others · System threats; port scanning, worms, denial of service and others The vulnerabilities include; · Unpatched software · Attacks related to social engineering · Misconfigured systems · Malicious applications 3. Determining the threshold for acceptable and unacceptable risks This involved setting a threshold that is, putting down what is comprised as acceptable and unacceptable risks for the company. The Matrix for Reed Inc’s Vulnerability Assessment The finding of the assessment are shown in the tables below; low shows how the classifications of risks is conducted in the assessment Vulnerability/Threat/Risk Matrix VUL ID 2021 – 1A Vulnerability Description Threat Description Likelihood Impact No maintenance for at least a year ago System failure High Low Risk level Priority Moderate Asset Recommended remediation Cost Reed Inc Server Conduct frequent server maintenance 3500 Vulnerability/Threat/Risk Matrix VUL ID 2021 – 1B Vulnerability Description Threat Description Likelihood Impact Permissions in the system not properly configured. Accidental personnel interference High High Risk level Priority High High Asset Recommended remediation Cost Shared files Continue with permissions monitoring for any changes, privileged users and backup 3000 Vulnerability/Threat/Risk Matrix VUL ID 2021 – 1C Vulnerability Description Threat Description Likelihood Impact Misconfigured firewalls Malicious users Moderate Low Risk level Priority Moderate Moderate Asset Recommended remediation Cost Web server Monitor the firewalls on the network 4000 Vulnerability/Threat/Risk Matrix VUL ID 2021 – 1D Vulnerability Description Threat Description Likelihood Impact Less qualified security personnel System misconfiguration Moderate Low Risk level Priority Moderate Moderate Asset Recommended remediation Cost Reed Inc IT systems Hiring of highly skilled security professionals 4500 Vulnerability/Threat/Risk Matrix VUL ID 2021 – 1E Vulnerability Description Threat Description Likelihood Impact Weak physical security Unauthorized persons Moderate High Risk level Priority Moderate Moderate Asset Recommended remediation Cost Computer devices & data Improve the physical security to more reinforced entrance to the building 5000 4. Create Financial Impact Assessment Scale Threats and vulnerabilities in the network of the organization have corresponding financial consequences. In most cases, it is almost impossible for the top management to make intellectual decisions about these threats and vulnerabilities without knowing their financial impact on the organization. 5. Creating a Probability Scale Every event that involves a threat or a vulnerability, a scale is to be created to determine the possibility of the event occurring over a certain period of time. 6. Assessment of the threat severity level The severity level must be assessed for all the threat events. The product of financial impact cost and occurrence probability are used to find the severity level. 7. Determine the threat event proximity There is normally fluctuation in the probability of occurrence of an event and its financial impact which are unpredictable in most cases. Henceforth, prioritizing threats and vulnerabilities helps organizations to easily handle them hence reducing their chances of getting attacked by hackers. Lessons Learned during the Assessment Process There is no fully secured system in the world, there exist weaknesses in the company network that can be exploited to cause harm. Some of the lessons learnt during the threat and vulnerabilities assessment process include but not limited to the following; 1. The cost may overweigh the benefits: it is important to note that all the necessary steps must be taken during the assessment and this includes departments re-thinking, resource reallocation and outsourcing of services to handle this situation where organizations such as Reed Inc experience losses. In addition, during the assessment it was also discovered that when one cuts the budget it will affect the setup of a good security in Reed Inc. 2. Threat and vulnerability assessment should include stakeholders and partners of the organization: during the assessment it was discovered that the security of organization’s system is not just about securing the assets of the company but should also extend to the stakeholders and partners of the business. Furthermore, one or more provisions of security should be included when a new commercial partnership contract is drafted in order to protect the organization from any kind of loss. In order to avoid this, it is very important for Reed Inc to put contractual clause in place to prevent future problems (Renfroe & Smith, 2010). 3. Learned about remediation solutions to secure Reed Inc’s perimeter: During the assessment, it was clear that Reed Inc should secure all points of the perimeter to minimize chances of them being attacked by hackers. Some of those measures include (Borum et al, 1999); · It is always advisable to prioritize the threats and vulnerabilities in the organization. · Auditing and assessment of threats and vulnerabilities should be conducted more frequently, for instance, annually. · Conduct cyber awareness to the employees of Reed Inc · Carry out penetration testing more frequently 4. Emergency plans re-evaluation and updating is a necessary step: During the assessment, one of the lessons learnt is that threat and vulnerability assessment is not limited to the virtual assets of the organization, instead it applies to all business continuity plan aspects. Assessment sessions’ results helps in defining actionable plans. Another important lesson, during the assessment, is also important to note that threat and vulnerability assessment includes fire and any other type of hazard. Always include newer threats and vulnerabilities in the emergency procedures (Shah & Mehtre, 2015). 5. Use of zero trust model, least privilege and create employee cyber-awareness: Also learnt from the process that according to NMS Consulting, most of the successful cyber-attacks are due to human error. Therefore this can be reduced by educating employees of Reed Inc on various ways they can protect themselves and organization from attacks and this was conducted during the assessment process (Shah & Mehtre, 2015). This education by cyber security specialists in Reed Inc will reduce the risks associated with human error. 6. During the assessment process, it was also important to note that remediation is always part of threat and vulnerability management. Therefore Reed Inc should regularly patch and update their systems and practice other measures that tend to prevent data breaches Findings and recommendations Threat and vulnerability assessment should be part of the company’s information technology department’s duties. In addition, there are also various open source network analysis tools that can be implemented by the organization in order to learn more about what is going on in the network and prevent attacks (Shah & Mehtre, 2015). Furthermore, as per the above research, vulnerability and threat assessment is not only a technical undertaking, it should also involve other stakeholders. References Ali, B., & Awad, A. I. (2018). Cyber and physical security vulnerability assessment for IoT-based smart homes. sensors, 18(3), 817. Camacho, D., Panizo-LLedot, Á., Bello-Orgaz, G., Gonzalez-Pardo, A., & Cambria, E. (2020). The four dimensions of social network analysis: An overview of research methods, applications, and software tools. Information Fusion, 63, 88-120. Mattos, D. I., Dakkak, A., Bosch, J., & Olsson, H. H. (2020, June). Experimentation for Business-to-Business Mission-Critical Systems: A Case Study. In Proceedings of the International Conference on Software and System Processes (pp. 95-104). Scholz, R. W. (2017). Digital threat and vulnerability management: the SVIDT method. Sustainability, 9(4), 554. Sutrisna, M., Ramanayaka, C. D., & Goulding, J. S. (2018). Developing work breakdown structure matrix for managing offsite construction projects. Architectural engineering and design management, 14(5), 381-397. Appendix A: Network Analysis Tools Network analysis tools used for the assessment include the following; 1. Aircrack This tool was used in the WiFi security assessment and was also be very applicable in the network auditing and mostly importantly, supports multiple operating systems such as Linux, Solaris, Windows and others (Akhtar, 2014). 2. Netsparker This web application vulnerability scanning tool was used to automate scanning actions in finding vulnerabilities (Akhtar, 2014). 3. Nmap Nmap is an open-source network analysis tool and it was used to discover hosts in the network and operating system of Reed Inc since it uses a probing approach. 4. Nikto2 This is another tool that was used in the analysis of Reed Inc’s network which was focused on web application security and is open-source. It was also able to report any configurations issues on the server and offer ways of reducing risks associated with the vulnerabilities (Akhtar, 2014). 15 Project 2: Risk Assessment Summary Report Template Your CIO, Maria Sosa, has asked you to write a Risk Assessment report based upon the results of the vulnerability assessment completed in project 1 outlining risks and responses. Final Risk Assessment Summary Report (five- to seven-page report using this template: Step 13) This report should include the following components: · Title Page · Include: · for whom you are preparing the document, the title, the date prepared, and your name as the preparer of the document · Executive Summary · This is a continuation of the Vulnerability Assessment in project 1. · Make sure this is focused on supporting the business. This report provides vital information that your executives will use to make business decisions. Keep this in mind! · Include: · the purpose of the report, intended audience, and an explanation of the importance of risk assessment · Prioritized Risks and Response Matrix (table from Step 8: Use Template from Discussion Area) · Include introductory text prior to the matrix · Recommended Risk Management Strategies and Technologies (one- to two-page narrative, from Step 10) This is a discussion of strategies and/or technologies that could be used · Include: · An in-depth discussion of your Prioritized Risks and Response Matrix discussing each of the possible Risk Response Strategies for each vulnerability · the consideration of relevant compliance issues · Risk Management Implementation (two- to three-page narrative) This is a discussion of your actual recommendations and why they were chosen and is based upon your research in the previous section. VUL ID # Asset Vulnerability Description Threat Description From P1 From P1 From Project 1 From Project 1 Likelihood Impact From P1 From P1 Recommended Remediation Risk Response Strategy/Factor Risk Level Priority From Project 1 (Remediate, Accept and Mitigate, or Transfer)/(Cost, Capabilities, or Resources) From P1 From P1 VUL ID # Asset Vulnerability Description Threat Description Likelihood Impact Recommended Remediation Risk Response Strategy/Factor Risk Level Priority Accept and Mitigate/Resources VUL ID # Asset Vulnerability Description Threat Description Likelihood Impact Recommended Remediation Risk Response Strategy/Factor Risk Level Priority Remediate VUL ID # Asset Vulnerability Description Threat Description Likelihood Impact Recommended Remediation Risk Response Strategy/Factor Risk Level Priority Vulnerability Description Threat Description Prioritized Risks and Response Matrix (make sure you scroll down all the way!) Notes on the Risk Response Strategy Cell: The possible options are: 1. Remediate, 2. Accept and Mitigate, or 3. Transfer Remember, remediate is to fix the issue. Mitigate is part of accepting the risk and includes implementing compensating controls because you are not going to fix the issue. Transfer means to transfer the risk to an outside agency such as an insurance company. You only need to list the risk response along with the factor for any responses other than remediate. This should state the factor that was most in play for why you were not able to remediate. For example, cost would be the factor if the cost to remediate outweighed the potential damage. Resources could be the factor if you did not have enough employees to implement the remediation. Capability could be a factor if the risk was with vendor software and they had not yet developed a patch. Your entries in this cell should look like this. Remediate Accept/Cost Transfer/resource These are just some of the examples and you’ll need to determine your actual entries for yourself.