To begin this assignment, review the prompt and grading rubric in the Module Five Short Response Guidelines and Rubric. You will be working through Breach Analysis Simulation Scenario Two PPT, or its text-based alternative PDF, which is an interactive scenario that you will use to address questions in the prompt. When you have finished your work, submit the assignment here for grading and instructor feedback.
CYB 250 Module Five Short Response Guidelines and Rubric
Overview
Security analysts play an important role working alongside the computer incident response team (CIRT). The analyst will be the individual who either fixes the issues or allocates resources to
fix the issues iden�fied by the CIRT. Using resources to facilitate the work becomes essen�al to sustain the health of an organiza�on. Applying the Center for Internet Security (CIS) cri�cal
controls to company infrastructure is normal prac�ce for an analyst. The controls are meant to guide the organiza�on toward compliance. They are not meant to be used in isola�on.
Comparing an organiza�on’s technical concerns to the CIS cri�cal controls provides a means of developing solu�ons to remediate issues. Once the issues are iden�fied and remediated, the
next step is to determine how to properly report those issues to different stakeholders.
Prompt
A�er reviewing Breach Analysis Simula�on Scenario Two, address the cri�cal elements below:
I. Repor�ng: Select an audience for repor�ng (sales team, senior management, or other stakeholders).
A. Explain how you report technical concerns to non-technical people in your selected audience. Keep in mind that most managerial roles are non-technical in nature; managers
need informa�on presented to them in a format they can easily understand and use.
II. Subcontrols: Refer to the CIS Controls worksheet used in Breach Analysis Simula�on Scenario Two and recommend two addi�onal subcontrols that could be modified by policy,
implementa�on, automa�on, or repor�ng to enhance security for the organiza�on.
A. Subcontrol One: Describe the modifica�on of the subcontrol and jus�fy your recommenda�on.
B. Subcontrol Two: Describe the modifica�on of the subcontrol and jus�fy your recommenda�on.
III. Two-Factor Authen�ca�on: A proposed solu�on for the breach issue is to use RSA key fobs as a means of two-factor authen�ca�on.
A. Discuss the merits of using RSA encryp�on and the implementa�on of two-factor authen�ca�on.
B. Discuss how different forms of encryp�on may be used in VPN so�ware.
What to Submit
Your submission should be 1 to 2 pages in length. Use double spacing, 12-point Times New Roman font, and one-inch margins. All sources must be cited using APA format. Use a file name
that includes the course code, the assignment �tle, and your name—for example, CYB_123_Assignment_Firstname_Lastname.docx.
11/25/24, 12:36 PM Assignment Information
https://learn.snhu.edu/d2l/le/content/1748997/viewContent/36623164/View 1/2
Module Five Short Response Rubric
Criteria Exemplary (100%) Proficient (85%) Needs Improvement (55%) Not Evident (0%) Value
Repor�ng: Report Technical
Concerns
Meets “Proficient” criteria and
addresses cri�cal element in an
excep�onally clear, insigh�ul,
sophis�cated, or crea�ve
manner
Explains how to report
technical concerns to
nontechnical people in the
selected audience
Addresses “Proficient” criteria,
but there are gaps in clarity,
logic, or detail
Does not address cri�cal
element, or response is
irrelevant
30
Subcontrols: Subcontrol One Meets “Proficient” criteria and
addresses cri�cal element in an
excep�onally clear, insigh�ul,
sophis�cated, or crea�ve
manner
Describes the modifica�on of
the subcontrol and jus�fies the
recommenda�on
Addresses “Proficient” criteria,
but there are gaps in clarity,
logic, or detail
Does not address cri�cal
element, or response is
irrelevant
15
Subcontrols: Subcontrol Two Meets “Proficient” criteria and
addresses cri�cal element in an
excep�onally clear, insigh�ul,
sophis�cated, or crea�ve
manner
Describes the modifica�on of
the subcontrol and jus�fies the
recommenda�on
Addresses “Proficient” criteria,
but there are gaps in clarity,
logic, or detail
Does not address cri�cal
element, or response is
irrelevant
15
Two-Factor Authen�ca�on:
RSA Encryp�on
Meets “Proficient” criteria and
addresses cri�cal element in an
excep�onally clear, insigh�ul,
sophis�cated, or crea�ve
manner
Discusses the merits of using
RSA encryp�on and the
implementa�on of two-factor
authen�ca�on
Addresses “Proficient” criteria,
but there are gaps in clarity,
logic, or detail
Does not address cri�cal
element, or response is
irrelevant
15
Two-factor Authen�ca�on:
VPN So�ware
Meets “Proficient” criteria and
addresses cri�cal element in an
excep�onally clear, insigh�ul,
sophis�cated, or crea�ve
manner
Discusses how different forms
of encryp�on may be used in
VPN so�ware
Addresses “Proficient” criteria,
but there are gaps in clarity,
logic, or detail
Does not address cri�cal
element, or response is
irrelevant
15
Ar�cula�on of Response Submission is free of errors
related to cita�ons, grammar,
spelling, and organiza�on and
is presented in a professional
and easy-to-read format
Submission has no major errors
related to cita�ons, grammar,
spelling, or organiza�on
Submission has some errors
related to cita�ons, grammar,
spelling, or organiza�on that
nega�vely impact readability
and ar�cula�on of main ideas
Submission has cri�cal errors
related to cita�ons, grammar,
spelling, or organiza�on that
prevent understanding of ideas
10
Total: 100%
11/25/24, 12:36 PM Assignment Information
https://learn.snhu.edu/d2l/le/content/1748997/viewContent/36623164/View 2/2
,
Published by Articulate® Storyline www.articulate.com
CYB 250 Module Five Short Response Text Version Breach Analysis Simulation
Breach Analysis Simulation Scenario Two Breach Analysis Simulation Introduction
Read through the following scenario. You will then be asked to make choices based on your experience as a security analyst. While there is a best path through the simulation, many of the other options are viable. You are encouraged to explore all of the options to enhance your knowledge and to prepare you for future breaches. The purpose of this simulation is to develop your systems thinking mindset and mature your cyber defense strategies.
Published by Articulate® Storyline www.articulate.com
Breach Analysis Simulation: Scenario Two
You are a security analyst working for an organization that sells mass storage solutions to companies. Several of your clients are law firms. During a routine audit, a breach was identified. This calls into question the safeguards that your company has in place to protect data integrity. Following up on the findings from the computer incident response team (CIRT), your manager has tasked you with reviewing the current controls. Subset of Current Controls
Review this subset of current controls in the spreadsheet. Prioritize them in the order you would address them for this breach by dragging and dropping each control into the right column. (For more information on the controls, review the CIS Controls document.)
• CIS Control 11: Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
• CIS Control 12: Boundary Defense
• CIS Control 13: Data Protection
• CIS Control 14: Controlled Access Based on the Need to Know
• CIS Control 16: Account Monitoring and Control
Published by Articulate® Storyline www.articulate.com
1. Challenge One 1.1 Challenge One: Current Controls Infrastructure Analysis
Based on your input and that of other stakeholders, the highest priority has been deemed to be CIS Control 13: Data Protection; specifically, the focus is subcontrol 13.3 (Monitor and Block Unauthorized Network Traffic). The organization has the automatic tools installed and a policy has been created for the control, but the control is not configured. What is the next step necessary to assure compliance to this control? Below are the possible answers:
• Automate this control
• Report on this control
• Implement the control 1.2 Automate this control
Incorrect. If the policy is not first implemented, it cannot be automated. Try selecting a different response.
Published by Articulate® Storyline www.articulate.com
1.3 Report on this control
Incorrect. If the policy is not first implemented, it cannot be reported on. Try selecting a different response. 1.4 Implement the control
Correct! For a control to actually work, it needs to be implemented. This should be the first step after the policy is defined.
Published by Articulate® Storyline www.articulate.com
1.5 Challenge One Review
Nice work! The goal for any system is to be fully automated. It is important to make sure that all policies are created, implemented, and automated if possible. Some controls cannot be fully automated and may need to have some human interaction. During CIRT’s investigation of the breach, they determined that its root cause was network related. Your manager is now assigning you the analysis of network policies related to the breach. 2. Challenge Two 2.1 Challenge Two: Investigating the Network
CIRT identified a port that was mistakenly left open; a client machine was communicating with another client machine on an isolated network. Further investigation identified that this port was left open after configuration files had been moved three weeks prior. This left the network open to attack. The current policy for subcontrol 12.2 (Scan for Unauthorized Connections Across Trusted Network Boundaries), specifies that scans should be scheduled to run monthly.
Published by Articulate® Storyline www.articulate.com
How would you update the policy to prevent this type of vulnerability in the future? Below are the possible answers:
• Scans should be run as often as time allows
• Scans should be run on a daily basis
• Scans should be run based on the current policy and after any configuration changes 2.2 Scans should be run as often as time allows
Incorrect! It is a good strategy to always run scans on a routine basis. Running them as often as time allows could either use up more resources than needed or, worse, could result in scans being put off for a long period of time, leaving the network open to attacks. Try selecting a different response. 2.3 Scans should be run on a daily basis
Good choice! However, running scans on a daily basis could significantly tax resources. Updating the policy in this manner may keep the network more secure, but at what cost? This update could require changes to the company infrastructure.
Published by Articulate® Storyline www.articulate.com
If we updated the policy to require that scanning be completed on a daily basis, what is the biggest issue with the availability tenet of the CIA triad? Below are the possible answers:
• The resources requirement is not met.
• The resources are not properly allocated.
• Daily scanning could tax resources beyond their capabilities. 2.3.1 The resources requirement is not met.
Incorrect! If you are trying to implement a task where there are not proper resources available to perform the action, the task cannot be completed. Evaluating and planning resources is an important part of project planning. Try selecting a different response. 2.3.2 The resources are not properly allocated.
Incorrect! The resources are available but they are not allocated to the project or task. Allocating the proper resources can be done through dependency charts or project timeline planning. Try selecting a different response.
Published by Articulate® Storyline www.articulate.com
2.3.3 Daily scanning could tax resources beyond their capabilities.
Correct! It is possible to overuse the resources allocated for a job. Although there may be IT infrastructure time for the scans to run every day, the human part of the resources may not have the time. It is important to balance the amount of human resources and IT resources a project is going to need to be efficient. A proper balance allows all parts of the system to run properly. Now that you have explored the impact on resources, return to Challenge Two and try selecting a different response. 2.4 Scans should be run based on the current policy and after any configuration changes
Correct! Running the scans on a routine basis is essential for the company to stay secure. The interval in the current policy has been sufficient; however, the policy should always be evaluated for optimal efficiency. If this evaluation deems monthly scans are adequate, the policy should be updated to always run scans after any configuration changes, which makes sure that no other part of the system is vulnerable or no important resources are left unprotected.
Published by Articulate® Storyline www.articulate.com
3. Challenge Three 3.1 Challenge Three: Email from the Manager
Manager: “The law firms that we store information for are very concerned with the integrity of their data on our system. We must guarantee that the information that resides on our system has not been modified in any way after they uploaded files. We can look at several options to verify that our security is still the best it can be. I propose the following areas for further investigation: human components, hardware components, encryption and security policies.” What area of security do you think is the most important, given the nature of the breach? Below are the possible answers:
• Encryption and security policies
• Hardware components
• Human components 3.2 Encryption and security policies
Correct! There may be certain regulations that your company is held to because of the type of information that it is storing. There could be a need for Health Insurance Portability and
Published by Articulate® Storyline www.articulate.com
Accountability Act (HIPAA) compliance and other forms of privacy. Looking at CIS subcontrols 16.3 (Require Multi-Factor Authentication), 16.4 (Encrypt or Hash All Authentication Credentials), and 16.7 (Establish Process for Revoking Access), we get a strong recommendation that our system needs to have two-factor authentication, needs to use hashing for credentials, and needs to have a process in place for removing employees’ access when they leave the law firms. There are other considerations, but these would need to be our priorities to help ensure the security of data integrity and availability. This is a case where the other options are also viable. You are encouraged to explore them to enhance your knowledge and to prepare you for future breaches. 3.3 Hardware components
Correct! Having the most up-to-date system and controls in place will facilitate strong defense from outside influences. CIS critical subcontrol 11.5 (Manage Network Devices Using Multi- Factor Authentication and Encrypted Sessions) details that all components of the system must use two-factor authentication. This ensures confidentiality of the information within the system and enhances the security by restricting unwanted access to the system. Try selecting a different response. This is a case where the other options are also viable. You are encouraged to explore them to enhance your knowledge and to prepare you for future breaches.
Published by Articulate® Storyline www.articulate.com
3.4 Human components
Correct! The human factor of the system can always be the weakest link. Based on CIS critical subcontrol 14.8 (Encrypt Sensitive Information at Rest), we must encrypt all sensitive data at rest and use tools that require two-factor authentication. Having this policy in place and fully implemented saved the situation because even though the attackers were able to gain access to the network, there was no way for them to access the law firms’ sensitive information stored on our network. Try selecting a different response. This is a case where the other options are also viable. You are encouraged to explore them to enhance your knowledge and to prepare you for future breaches. 4. Challenge Four 4.1 Challenge Four: After the Breach
Since the breach, the IT security team has been proactively identifying other potential vulnerabilities to prevent future breaches. This team has identified gaps in the security of your system. Which of the following solutions would you address first, prioritizing time and budget? Below are the possible answers:
Published by Articulate® Storyline www.articulate.com
• Evaluate virtual private network (VPN) technologies
• Evaluate email encryption
• Evaluate file integrity 4.2 Evaluate virtual private network (VPN) technologies
Good thought! While not the most ideal solution if you prioritize timeliness, this represents a longer-term solution. An encrypted tunnel to the data may require hardware upgrades and protocol changes. Try selecting a different response. 4.3 Evaluate email encryption
Good thought! However, this solution requires a dedicated server, and software upgrades or migration to a more robust platform. This is the least preferable option when you consider timeliness and scope because it impacts so many systems; however, it does have far-reaching implications for the organization’s security posture. Try selecting a different response.
Published by Articulate® Storyline www.articulate.com
4.4 Evaluate file integrity
Correct! This is the ideal situation. This solution satisfies the stakeholders with a business- relevant solution that is low-cost and quick to implement. Breach Analysis Simulation Scenario Two Summary
After debriefing with CIRT, the director of IT, and the IT security team, we need to discuss the reporting needs. This information needs to be shared with various audiences. You need to frame your report to each audience carefully because different audiences have different needs and technical knowledge. For example, senior management (CEO/CFO/CIO) needs you to provide them with a means to make informed decisions to address the identified gaps in security policies. In your activity this week, you will continue this scenario and take the next steps in reporting and recommending solutions.