Many companies and agencies conduct IT audits to test and assess the rigor of IT security controls in order to mitigate risks to IT networks. Such audits meet compliance mandates by regulatory organizations. Federal IT systems follow Federal Information System Management Act (FISMA) guidelines and report security compliance to US-CERT, the United States Computer Emergency Readiness Team, which handles defense and response to cyberattacks as part of the Department of Homeland Security. In addition, the Control Objective for Information Technology (COBIT) is a set of IT security guidelines that provides a framework for IT security for IT systems in the commercial sector.
These audits are comprehensive and rigorous, and negative findings can lead to significant fines and other penalties. Therefore, industry and federal entities conduct internal self-audits in preparation for actual external IT audits, and compile security assessment reports.
In this project, you will develop a 12-page written security assessment report and executive briefing (slide presentation) for a company and submit the report to the leadership of that company.
There are six steps to complete the project. Most steps in this project should take no more than two hours to complete, and the project as a whole should take no more than three weeks to complete. Begin with the workplace scenario, and then continue to Step 1.
Step 1: Conduct a Security Analysis Baseline
In the first step of the project, you will conduct a security analysis baseline of the IT systems, which will include a data-flow diagram of connections and endpoints, and all types of access points, including wireless. The baseline report will be part of the overall security assessment report (SAR).
You will get your information from a data-flow diagram and report from the Microsoft Threat Modeling Tool 2016. The scope should include network IT security for the whole organization. Click the following to view the data-flow diagram:
[diagram and report]
Include the following areas in this portion of the SAR:
- Security requirements and goals for the preliminary security baseline activity.
- Typical attacks to enterprise networks and their descriptions. Include Trojans, viruses, worms, denial of service, session hijacking, and social engineering. Include the impacts these attacks have on an organization.
- Network infrastructure and diagram, including configuration and connections. Describe the security posture with respect to these components and the security employed: LAN, MAN, WAN, enterprise. Use these questions to guide you:
What are the security risks and concerns?
What are ways to get real-time understanding of the security posture at any time?
How regularly should the security of the enterprise network be tested, and what type of tests should be used?
What are the processes in play, or to be established to respond to an incident?
Workforce skill is a critical success factor in any security program, and any security assessment must also review this component. Lack of a skilled workforce could also be a security vulnerability. Does the security workforce have the requisite technical skills and command of the necessary toolsets to do the job required?
Is there an adequate professional development roadmap in place to maintain and/or improve the skill set as needed?
Describe the ways to detect these malicious code and what tactics bad actors use for evading detection. - Public and private access areas, web access points. Include in the network diagram the delineation of open and closed networks, where they co-exist. In the open network and closed network portion, show the connections to the Internet.
- Physical hardware components. Include routers and switches. What security weaknesses or vulnerabilities are within these devices?
- Operating systems, servers, network management systems.
data in transit vulnerabilities
endpoint access vulnerabilities
external storage vulnerabilities
virtual private network vulnerabilities
media access control vulnerabilities
ethernet vulnerabilities - Possible applications. This network will incorporate a BYOD (bring your own device) policy in the near future. The IT auditing team and leadership need to understand current mobile applications and possible future applications and other wireless integrations. You will use some of this information in Project 2 and also in Project 5.
The overall SAR should detail the security measures needed, or implementations status of those in progress, to address the identified vulnerabilities. Include:
- remediation
- mitigation
- countermeasure
- recovery
Through your research, provide the methods used to provide the protections and defenses.
From the identification of risk factors in the risk model, identify the appropriate security controls from
NIST SP 800-53A
and determine their applicability to the risks identified.
The baseline should make up at least three of the 12 pages of the overall report.
When you have completed your security analysis baseline, move on to the next step, in which you will use testing procedures that will help determine the company’s overall network defense strategy.
Step 2: Determine a Network Defense Strategy
You’ve completed your initial assessment of the company’s security with your baseline analysis. Now it’s time to determine the best defenses for your network.
Start by reading a publication by the National Institute of Standards and Technology,
NIST-SP-800-115 Technical Guide to Information Security Testing and Assessment
, and outline how you would test violations. Identify how you will assess the effectiveness of these controls and write test procedures that could be used to test for effectiveness. Write them in a manner to allow a future information systems security officer to use them in preparing for an IT security audit or IT certification and accreditation. Within this portion of the SAR, explain the different testing types (black box testing, white box testing).
Include these test plans in the SAR. The strategy should take up at least two of the 12 pages of the overall report.
Click the following link to learn more about cybersecurity for process control systems:
Cybersecurity for Process Control Systems
After you’ve completed this step, it’s time to define the process of penetration testing. In the next step, you’ll develop rules of engagement (ROE).
Step 3: Plan the Penetration Testing Engagement
Now that you’ve completed your test plans, it’s time to define your penetration testing process. Include all involved processes, people, and timeframe. Develop a letter of intent to the organization, and within the letter, include some formal rules of engagement (ROE). The process and any documents can be notional or can refer to actual use cases. If actual use cases are included, cite them using APA format.
This portion should be about two pages of the overall 12-page report.
After you have outlined the steps of a penetration testing process, in the next step you will perform penetration testing. During the testing, you will determine if the security components are updated and if the latest patches are implemented, and if not, determine where the security gaps are.
Step 4: Conduct a Network Penetration Test
You’ve defined the penetration testing process, and in this step, you will scan the network for vulnerabilities. Though you have some preliminary information about the network, you will perform a black box test to assess the current security posture. Black box testing is performed with little or no information about the network and organization.
To complete this step, you will use industry tools to carry out simulated attacks to test the weaknesses of the network.
Your assessments within the lab will be reported in the SAR.
Complete This Lab
Here are some resources that will help you complete the lab:
- Accessing the Virtual Lab Environment: Navigating the Workspace and the Lab Setup.
- Review the Workspace and Lab Machine Environment Tutorial
- Lab Instructions: Penetration Testing Lab
Step 5: Complete a Risk Management Cost Benefit Analysis
You’ve completed the penetration testing, and now it’s time to complete your SAR with a risk management cost benefit analysis. Within this analysis, think about the cost of violations and other areas if you do not add the controls. Then add in the cost for implementing your controls.
When you have finished with the cost benefit analysis, which should be at least one page of your overall report, move to the final step, which is the completed SAR. As part of the final assignment, remember that you will need to create a slide presentation as part of the executive briefing, and submit that along with the SAR.
Step 6: Compile the SAR, Executive Briefing, and Lab Report
You have completed comprehensive testing in preparation for this audit, provided recommended remediations, and developed a set of recommendations. Now you are ready to submit your SAR and executive briefing.
The requirements for Project 1 are as follows:
- Executive briefing: A three- to five-slide visual presentation for business executives and board members.
- Security assessment report (SAR): Your report should be 12 pages minimum, double-spaced with citations in APA format. The page count does not include figures, diagrams, tables or citations.
Step 6: Compile the SAR, Executive Briefing, and Lab Report
You have completed comprehensive testing in preparation for this audit, provided recommended remediations, and developed a set of recommendations. Now you are ready to submit your SAR and executive briefing.
The requirements for Project 1 are as follows:
Executive briefing: A three- to five-slide visual presentation for business executives and board members.
Security assessment report (SAR): Your report should be 12 pages minimum, double-spaced with citations in APA format. The page count does not include figures, diagrams, tables or citations.
Project 1
CST630 Project Checklist | |||||
Student Name: | |||||
Date: | |||||
Note: This checklist is designed based on the required project deliverables in the project steps and instructions in the classroom to help students and professors effectively write papers and evaluate assignment submissions respectively. Currently, it supplements the course grading rubric and it’s use is optional. The Department welcomes any recommendation(s) for improvement. | |||||
Project 1: Requires the Following THREE Pieces | Areas to Improve | ||||
1. Security Assessment Report (SAR)(12 pages minimum, double-spaced) | |||||
2. Executive Briefing Slides (3 to 5 slides) | |||||
3. Lab Experience Report | |||||
Specific Details | |||||
1. Security Assessment Report (12 pages) | |||||
Conduct a Security Analysis Baseline (3 of 12 ages) | |||||
Security requirements and goals for the preliminary security baseline activity. | |||||
Typical attacks to enterprise networks and their descriptions. Include Trojans, viruses, worms, denial of service, session hijacking, and social engineering. | |||||
Include the impacts these attacks have on an organization. | |||||
Network infrastructure and diagram, including configuration and connections | |||||
Describe the security posture with respect to LAN, MAN, WAN, enterprise. | |||||
Network infrastructure and diagram, including configuration and connections and endpoints. | |||||
What are the security risks and concerns? | |||||
What are ways to get real-time understanding of the security posture at any time? | |||||
How regularly should the security of the enterprise network be tested, and what type of tests should be used? | |||||
What are the processes in play, or to be established to respond to an incident? | |||||
Does the security workforce have the requisite technical skills and command of the necessary toolsets to do the job required? | |||||
Is there an adequate professional development roadmap in place to maintain and/or improve the skill set as needed? | |||||
Describe the ways to detect these malicious code and what tactics bad actors use for evading detection. | |||||
In the network diagram: include the delineation of open and closed networks, where they co-exist. | |||||
In the open network and closed network portion, show the connections to the Internet | |||||
Physical hardware components. Include routers and switches. What security weaknesses or vulnerabilities are within these devices? | |||||
Discuss operating systems, servers, network management systems.data in transit vulnerabilities endpoint access vulnerabilities external storage vulnerabilities virtual private network vulnerabilities media access control vulnerabilities ethernet vulnerabilities |
|||||
Possible applications. Current and future mobile applications and possible future Bring Your Own Device policy. | |||||
Include: remediation mitigation countermeasure recovery |
|||||
Provide the methods used to provide the protections and defenses. | |||||
From the identification of risk factors in the risk model, identify the appropriate security controls from NIST SP 800-53A and determine their applicability to the risks identified. | |||||
Determine a Network Defense Strategy 2/12 pages | |||||
Outline how you would test violations. | |||||
Identify how you will assess the effectiveness of these controls and write test procedures that could be used to test for effectiveness. | |||||
Write them in a manner to allow a future information systems security officer to use them in preparing for an IT security audit or IT certification and accreditation. | |||||
Explain the different testing types (black box testing, white box testing). | |||||
Plan the Penetration Testing Engagement 2/12 pages | |||||
Include all involved processes, people, and timeframe. | |||||
Develop a letter of intent to the organization, and within the letter, include some formal rules of engagement (ROE) | |||||
Conduct a Network Penetration Test 4/12 pages | |||||
After finding the security issues within the network, define which control families from the NIST 800-53 are violated by these issues. | |||||
Explain in the SAR why each is a violation, support your arguments with a copy of your evidence | |||||
Provide suggestions on improving the security posture of these violations. | |||||
Complete a Risk Management Cost Benefit Analysis 1/12 pages | |||||
Complete your SAR with a risk management cost benefit analysis. Think about the cost of violations and other areas if you do not add the controls. Then add in the cost for implementing your controls. | |||||
*****Conduct a Security Analysis Baseline Feedback***** | |||||
2. Executive Briefing (three to five slide presentation – narration not needed) | |||||
Explain key points to executives | |||||
Title Slide | |||||
Use of Readable Fonts and Color | |||||
Summarizes Findings and Recommendations at High Level | |||||
*****Executive Briefing Feedback***** | 3. Lab Experience Report with Screenshots | ||||
Summarizes the Lab Experience and Findings | |||||
Responds to the Questions | |||||
Provides Screenshots of Key Results | |||||
*****Lab Experience Report Feedback***** |
Project 2
Project 2: Requires the Following TWO Pieces |
1a. Cybersecurity Incident Report (CIR) (12 pages minimum) |
1b. Executive Summary (one page summary at the beginning of your CIR) |
1. Cybersecurity Incident Report (CIR) (12 pages) w/ Executive Summary |
Develop a Wireless and BYOD Security Plan |
Executive summary: A one-page summary at the beginning of the report. |
Using NIST 800-153, provide an executive summary to answer other security concerns related to BYOD and wireless. |
Provide answers to the threat of unauthorized equipment or rogue access points on the company wireless network and the methods to find other rogue access points. |
Describe how to detect rogue access points and how they can actually connect to the network. |
Describe how to identify authorized access points within your network. |
Within your plan, include how the Cyber Kill Chain framework and approach could be used to improve the incident response times for networks. |
Include this at the beginning of your CIR as the basis for all wireless- and BYOD-related problems within the network. |
Title the section “Wireless and BYOD Security Plan.” |
Track Suspicious Behavior |
Propose how you would track suspicious employee movements using various tools and techniques. |
How would you track the location of the company asset? |
Explain how identity theft could occur and how MAC spoofing could take place in the workplace. |
How would you protect against both identity theft and MAC spoofing? |
Address if it is feasible to determine if MAC spoofing and identity theft has taken place in the workplace. |
Include a whitelist of approved devices for this network. Examples may include authorized access points, firewalls, and other similar devices. |
Disuss any legal issues, problems, or concerns with your actions. |
What should be conducted before starting this investigation? |
Were your actions authorized, was the notification valid, or are there any other concerns? |
Include your responses as part of the CIR with the title “Tracking Suspicious Behavior.” |
Develop a Continuous Improvement Plan |
Provide for your leadership a description of wired equivalent privacy and also Wi-Fi protected access networks, for education purposes. |
Include the pros and cons of each type of wireless network, as well as WPA2. |
Define the scheme for using preshared keys for encryption. |
Is this FIPS 140-2 compliant, and if not, what is necessary to attain this? |
Include a list of other wireless protocols, such as Bluetooth |
Provide a comparative analysis of four protocols including the pros, cons, and suitability for your company. |
Include your responses as part of the CIR with the title “Continuous Improvement Plan.” |
Develop Remote Configuration Management |
Include a description of remote configuration management and describe how it is used in maintain the security posture of your company’s network |
The owner of an undocumtnted device must be removed from the network. Implement this and explain how you would remove the employee’s device. |
Explain how you would show proof that the device was removed? |
Include your responses as part of the CIR with the title “Remote Configuration Management.” |
Investigate Employee Misconduct |
Provide a definition of ad hoc wireless networks and identify the threats and vulnerabilities to a company. |
How could this network contribute to the company infrastructure and how would you protect against those threats? |
Address self-configuring dynamic networks on open access architecture and the threats and vulnerabilities associated with them, as well as the possible protections that should be implemented. |
How would you detect an employee connecting to a self-configuring network or an ad hoc network? |
How would signal hiding be a countermeasure for wireless networks? |
What are the countermeasures for signal hiding? |
How is the service set identifier (SSID) used by cybersecurity professionals on wireless networks? |
Are these always broadcast, and if not, why not? |
How would you validate that the user is working outside of business hours? |
Include your responses as part of the CIR with the title “Employee Misconduct.” |
Analysis of Wireless Traffic |
Analyze wireless traffic. |
Include your responses from the lab as part of the CIR with the title “Wireless Traffic Analysis.” |
***** Cybersecurity Incident Report Feedback***** |
2. Executive Briefing Slides (3-5 slides) |
Project 3
Project 3: Requires the Following TWO Pieces |
1a. Cybersecurity Report for a Successful Acquisition (12 pages minimum) |
1b. Executive Summary (one page summary at the beginning of your Acquisition Report) |
1. Cybersecurity For A Successful Acquisition Report: (12 page min) w/ Executive Summary |
Conduct a Policy Gap Analysis |
Executive summary: This is a one-page summary at the beginning of your report. |
Are companies going through an M&A prone to more attacks or more focused attacks? |
If so, what is the appropriate course of action? |
Should the M&A activities be kept confidential? |
explain to the executives that before any systems are integrated, their security policies will need to be reviewed |
Conduct a policy gap analysis to ensure the target company’s security policies follow relevant industry standards as well as local, state, and national laws and regulations. |
Identify what, if any, laws and regulations the target company is subject to. |
How would you identify the differences? |
How would you learn about the relevant laws and regulations? |
How would you ensure compliance with those laws and regulations? |
Use PCI standards to identify a secure strategy, and operating system protections to protect the credit card data |
Select at least two appropriate requirements from the PCI Standards DSS 12 set of requirements and explain how the controls should be implemented, how they will change the current network, and any costs associated with implementing the change. |
Review Protocols for Streaming Services |
review the protocols, explain how they work along with any known vulnerabilities, and how to secure the company from cyberattacks. |
Identify what streaming the companies are doing and the specific technology they are leveraging. |
What are the technical vulnerabilities associated with the protocols involved? |
Have those been mitigated? And to what extent (i.e., has the risk been reduced to zero, reduced somewhat, shifted to a third party, etc.)? |
What residual risk to the target company’s assets and IP remain? |
Would those risks extend to the current (takeover) company after the merger? a. Would that be bad enough to cancel the M&A? |
If the response to #5 is yes, then, what should the target company do to further mitigate the risk? How should the takeover company mitigate the risk? |
What are the costs associated to the target company (implementing the appropriate mitigation)? If the takeover firm has to take additional measures, identify those costs as well. |
Assess the Merged Network Infrastructure |
Explain what tactics, techniques, and procedures you would use to understand the network. |
identify firewalls, DMZ(s), other network systems, and the status of those devices. |
Review the Wireless and BYOD Policies |
Explain the media company’s current stance on wireless devices and BYOD. |
Explain to the managers of the acquisition what needs to be done for the new company to meet the goals of the BYOD policy. |
Develop a Data Protection Plan |
Include the benefits, implementation activities required for protection and defense measures such as full disk encryption, BitLocker, and platform identity keys. |
Convey to your leadership the importance of system integrity and an overall trusted computing base, environment, and support |
Describe what this would entail and include Trusted Platform Module (TPM) components and drivers. |
How are these mechanisms employed in an authentication and authorization system? |
Review Supply Chain Risk |
Include supply chain risks and list the security measures in place to mitigate those risks. |
Use the NIST Special Publication 800-161 Supply Chain Risk Management Practices for Federal Information Systems and Organizations to explain the areas that need to be addressed. |
Build a Vulnerability Management Program |
Use NIST Special Publication 800-40 Guide to Enterprise Patch Management Technologies to develop a program to scan and build a vulnerability management program |
Explain to the managers how to implement this change, why it is needed, and any costs involved. |
Educate Users |
Inform the users for the new and old company of the changes, including policies, processes, and other aspects that were updated |
Explain to the acquisition managers the requirements for training the workforce. |
*******Cybersecurity For A Successful Acquisition Report Feedback******* |
2. Executive Briefing Slides (3-5 slides – Narration Not Needed) |
*******Executive Briefing Slides Feedback****** |
Project 4
Project 4: Requires the Following THREE Pieces | |
1a. Proposal for Secure Videoconferencing (6 page minimum, double-spaced) | |
1b. Executive summary (one page summary at the beginning of your Proposal) | |
1. Proposal for Secure Videoconferencing (6 pages max) | |
Develop Functional Requirements for Videoconferencing | |
Executive summary: (1 page) at the beginning of Proposal for Secure Videoconferencing | |
Explain the videoconferencing solutions for Skype, GotoMeeting, Polycom, and Cisco Webex; Include their capabilities, advantages, and disadvantages. | |
Identify costs as well as implementation and support requirements for Skype, GotoMeeting, Polycom, and Cisco Webex videoconferencing. | |
The functional requirements and the three possible solutions will be a section of your Proposal for Secure Videoconferencing | |
Discuss Implementation Challenges | |
Include the advantages and disadvantages of the implementation options for the three systems you selected. | |
Include the changes the media company will need to make to implement the systems. | |
Explain how system administration or privileged identity management will operate with these systems. | |
Examine how data exfiltration will occur with each of the new systems. | |
Identify Vendor Risks | |
Look at the systems’ known vulnerabilities and exploits. Examine and explain the past history of each vendor with normal notification timelines, release of patches, or work-arounds (solutions within the system without using a patch). | |
Address the timeliness of response with each company in helping customers stay secure. | |
Develop Best Practices for Secure Videoconferencing | |
Outline security best practices for videoconferencing that you would like users and systems administrators to follow. | |
Discuss how these best practices will improve security and minimize risks of data exfiltration as well as snooping | |
Title this section “best practices”. It will be part of the overall Proposal for Secure Videoconferencing. | |
Develop System Integrity Checks | |
Develop system integrity checks for files shared between users of the videoconferencing systems. | |
Submit Your Proposal | |
Recommend a system that best meets the business functionality and security requirements of the company. | |
Prepare a set of high-level executive briefing slides to give the CEO and CIO an overview of your study. | |
*******Proposal for Secure Videoconferencing Feedback******* | |
2. Executive Briefing (3 to 5 slides – Narration Not Needed) | |
Generate a lab report that will be part of your final assignment (Step 5) | |
*******Lab Experience Report Feedback****** |
Project 5
Project 5: Requires the Following THREE Pieces | |
1. Cybersecurity Technology Strategic Plan | |
2. Executive Presentation (5 to 10 Slides – Written narration/in-class presentation, or audio/video narration) | |
Select Devices and Technologies | |
Select Devices and Technologies most appropriate for data loss prevention for your organization’s business mission and future success. | |
Research and choose from the following and discuss your business rationale for selecting or not selecting them: | |
-IPv6 | |
-Internet of Things (IoT) | |
-Blockchain | |
-Tokenization | |
-Data Masking | |
– Data Obfuscation | |
– Operational Context | |
– Tamper-proofing | |
– Big Data Analytics | |
Include significant detail about these, including what kinds of IoT devices might be appropriate for your company’s use. | |
Develop Goals and Objectives | |
Focus on the organizational mission and develop a set of goals and objectives to show how your set of chosen devices and technologies will help your company prepare for the future. | |
Include a discussion for deploying, maintaining, and securing these devices and technologies’ impact to the existing company infrastructure and security. | |
Prepare a SWOT Analysis Table | |
Justify adding these devices and technologies to the network infrastructure. | |
In order to do this, perform a strengths, weaknesses, opportunities, and threats (SWOT) analysis of each device/technology being introduced into the infrastructure. | |
SWOT Chart and Analysis | |
Ensure the following questions are answered: | |
– How do they influence the operation and maintenance of the network? | |
– What can be done to overcome these limiting factors? | |
Address Integration and Implementation issues | |
Discuss integration issues and problems that can arise when you try to implement them into the infrastructure. | |
Address legacy devices in the infrastructure. | |
Update the Data Flow Diagram | |
Complete the lab, create, and include an updated data-flow diagram. | |
Plan People, Process, and Data Governance Issues | |
Discuss people, process, and data governance aspects of deploying new technology. | |
Address possible process changes. | |
Address possible personnel changes, hiring, training, retraining or users and administrators. | |
Finalize the Report | |
Compile, review, edit, and proofread | |
As you write the conclusions and summary statements, address the following possible challenges: | |
– Any key impacts to the organization or network infrastructure | |
– What will the organization need to do in the future to meet goals and objectives. | |
– How will your organization ensure continuous improvement? | |
– What possible roadblocks could your organization face? | |
– How would you oversome these potential roadblocks? | |
*******Cybersecurity Technology Strategic Plan Feedback******* | |
2. Presentation (Complete Set of Team Slides and Narration of a Portion) | |
Slide Narration or In Class or Online Presentation (5-6 minutes or a portion of report) | |
******Presentation Feedback******* | |
3. Lab Experience Report [Can Be Produced by Designated Member(s) of Team] |