Description
Overview
In cybersecurity, data protection should be the first priority. There are two basic concepts: data at rest and data in transit. Each version of data is protected slightly differently. It may be sufficient to protect data at rest with some type of encryption that is difficult to crack over a long period of time, while the data in transit only needs to be protected until it gets past the entity that is trying to decipher it. In either case, it is important to know what to do when a breach or incident occurs. Having a strong computer incident response team (CIRT) is a valuable resource for any company. The premise behind incident response is to identify an attack, contain and eradicate its effects, and minimize the risk of incident recurrence.
What is the shortest amount of time it can take to restore the system to a safe state? The shortest amount of time might not be the most cost-effective. Therefore, the company must prioritize its actions and make sure that in trying to fix the cyber incident, it doesn’t cause the company more harm. There are many incidents and actions that the CIRT needs to be ready for, so having a highly defined and well-practiced incident response plan is important for the company’s well-being. Having the proper resources, whether they are personnel or information technology related, can play a role in how fast the company recovers from the incident. Being prepared for the worst possible cases, having a strong understanding of the influences of the confidentiality, integrity, and availability (CIA) triad, and knowing how the company will react to those situations could mean the difference between company survival or deeper consequences, such as company closure. Having the proper CIRT is about having the right people for the job. This does not mean that all of senior management needs to be on the CIRT. This does mean that the company must figure out what the proper makeup of the team should be. The team members must be knowledgeable in their roles as they need to be sure that the decisions they make are in the best interests of the company.
Prompt
After reviewing Breach Analysis Simulation Scenario One, address the critical elements below:
Reflection on CIA and Data Protection
Select a tenet of the CIA triad and explain how the principle applies to the scenario. Justify your response with details or examples from the scenario.
Explain the issues with Secure Sockets Layer (SSL) that facilitated its deprecation and how Transport Layer Security (TLS) remedies those issues.
Incident Response Plan
In small organizations, there typically isn’t a large membership to form the CIRT. Explain how organizations with a small IT department ensure that the CIRT is prepared to handle all possible situations.
What to Submit
Your submission should be 1 to 2 pages in length. Use double spacing, 12-point Times New Roman font, and one-inch margins. All sources must be cited using APA format. Use a file name that includes the course code, the assignment title, and your name—for example, CYB_123_Assignment_Firstname_Lastname.docx.
Module Two Short Response Rubric
Criteria Exemplary (100%) Proficient (85%) Needs Improvement (55%) Not Evident (0%) Value
Reflection on CIA and Data Protection: Tenet of CIA Triad Meets “Proficient” criteria and addresses critical element in an exceptionally clear, insightful, sophisticated, or creative manner Selects a tenet of the CIA triad and explains how the principle applies to the scenario, including details or examples from the scenario Addresses “Proficient” criteria, but there are gaps in clarity, logic, or detail Does not address critical element, or response is irrelevant 30
Reflection on CIA and Data Protection: Issues with SSL Meets “Proficient” criteria and addresses critical element in an exceptionally clear, insightful, sophisticated, or creative manner Explains the issues with SSL that facilitated its deprecation and how TLS remedies those issues Addresses “Proficient” criteria, but there are gaps in clarity, logic, or detail Does not address critical element, or response is irrelevant 30
Incident Response Plan: Form the CIRT Meets “Proficient” criteria and addresses critical element in an exceptionally clear, insightful, sophisticated, or creative manner Explains how organizations with a small IT department ensure that the CIRT is prepared to handle all possible situations Addresses “Proficient” criteria, but there are gaps in clarity, logic, or detail Does not address critical element, or response is irrelevant 30
Articulation of Response Submission is free of errors related to citations, grammar, spelling, and organization and is presented in a professional and easy-to-read format Submission has no major errors related to citations, grammar, spelling, or organization Submission has some errors related to citations, grammar, spelling, or organization that negatively impact readability and articulation of main ideas Submission has critical errors related to citations, grammar, spelling, or organization that prevent understanding of ideas 10
Total: 100%
Unformatted Attachment Preview
CYB 250 Module Two Short Response Text Version
Breach Analysis Simulation
Scenario One
Breach Analysis Simulation Introduction
Read through the following scenario. You will then be asked to make choices based on your
experience as a security analyst. While there is a best path through the simulation, many of the
other options are viable. You are encouraged to explore all of the options to enhance your
knowledge and to prepare you for future breaches. The purpose of this simulation is to develop
your systems thinking mindset and mature your cyber defense strategies.
Published by Articulate® Storyline www.articulate.com
Breach Analysis Simulation: Scenario One
You are a security analyst working for a company that provides an e-commerce website. Over
the last year, you have had discussions with your supervisor about updates to the systems,
including a transition to Transport Layer Security (TLS) from Secure Sockets Layer (SSL). The
changes have not been implemented due to budgetary constraints. While performing file
system maintenance, you notice low disk quota on the web server.
1. Challenge One
1.1 Challenge One
What is this low disk quota? This is odd; last audit, there was sufficient space. Normal business
operations wouldn’t cause this. What should you do next? Below are the possible answers:
●
●
●
Try to diagnose the source of the breach
Consult the incident response plan
Notify your supervisor
Published by Articulate® Storyline www.articulate.com
1.2 Try to diagnose the source of the breach
Good thought, but beware! Breaches are complex issues. Many additional obligations beyond
solving the breach need to be addressed. For instance, evidence gathering must be considered,
and communications to stakeholders must be drafted. Finding the source of the breach may be
time-consuming; consequently, other entities can be working on remediation actions during this
time. Try selecting a different response.
1.3 Consult the incident response plan
Although technically this response is the correct process, all employees should know that
alerting their supervisor is the first step; this results in faster action in initiating the proper
response. When you consult the incident response plan, it directs you to immediately contact
your supervisor. Where should the incident response plan be located? Below are the possible
answers:
●
●
●
Stored digitally on the network
Each employee should have a hard copy at his/her desk
Printed out and stored in one specific location
Published by Articulate® Storyline www.articulate.com
1.3.1 Stored digitally on the network
No, this is not the ideal selection because the network could be compromised or otherwise
inaccessible. Try selecting a different response.
1.3.2 Each employee should have a hard copy at his/her desk
Not quite! Although organizations might choose to do this, it represents an overuse of resources
and creates potential issues related to the frequent updating necessary to this document. Try
selecting a different response.
Published by Articulate® Storyline www.articulate.com
1.3.3 Printed out and stored in one specific location
Correct! This is standard practice; a single hard copy that is always up to date with the most
current actions prevents issues. It is important to ensure that all individuals are notified when
updates to this document occur.
Now that you have determined where the incident response plan should be located, return to
Challenge One and try selecting a different response.
1.4 Notify your supervisor
Correct! As an analyst, you need to contact your supervisor, who will contact the computer
incident response team and mobilize the appropriate personnel to remedy the situation.
Published by Articulate® Storyline www.articulate.com
2. Challenge Two
2.1 Challenge Two: Dialogue with Supervisor
Supervisor: “There do appear to be irregularities with the network. I would like you to do some
investigating and find evidence to support your concerns about a breach.”
Where should you look first to try to find evidence of the breach? Below are the possible
answers:
●
●
●
Look for irregularities in the active directory
Analyze access control logs
Look at the files on the web server
2.2 Analyze access control logs
Looking at access control logs can be a good start when trying to identify who accessed which
areas of the network. However, this is a time-consuming process, and if the hacker is
experienced, it may be difficult to determine whether unauthorized individuals accessed parts of
the network they weren’t supposed to. After review of the access control logs, no evidence of a
breach was found here. Try selecting a different response.
Published by Articulate® Storyline www.articulate.com
2.3 Look for irregularities in the active directory
A goal of hackers is to establish a presence in the network. From this presence, hackers look to
escalate privilege to gain access to information on the system or network and hide their activity
within the network. Looking for irregularities is a good foundational step in trying to identify
rogue activity on a network. In this case, there was no clear evidence that the attack progressed
past the initial access to the network. This choice is something to keep in mind if irregularities of
individual performances occur on the network. Try selecting a different response.
2.4 Look at the files on the web server
Correct! Looking at the files on the web server has uncovered the presence of rogue or
unauthorized files. Hackers typically test the waters by trying to upload files to web servers.
They are trying to discover whether or not they can infiltrate your system. If successful, hackers
would try to exploit this vulnerability and look to secure their presence in the network through
the web server. For this challenge, all three choices are viable, but checking for rogue or
unauthorized files can be one of the fastest methods of detecting an attack.
Published by Articulate® Storyline www.articulate.com
3. Challenge Three
3.1 Challenge Three: Conversation with Supervisor
Supervisor: “Good work on identifying the issues with rogue files on the network. It appears that
the attacker was able to place the files on the network because of the weak SSL encryption.
Moving forward, we have reevaluated the budget and made the transition to TLS a priority. But
we need to complete some steps before moving to TLS.”
3.2 Challenge Three: Conversation with Supervisor, Continued
Supervisor: “What do you think is the most important step to be sure we are ready to transition
to TLS?” Below are the possible answers:
●
“Hardware. I think we need to ensure that processors, RAM, network media (gigabit
ethernet or fiber optic), network peripherals, and servers are capable and up to the
task. Processing time becomes a consideration when implementing TLS because cyphers
can take time to process so you may experience a degradation of your network and lag
time. We want to make sure that our communication infrastructure can handle the
Published by Articulate® Storyline www.articulate.com
●
●
bandwidth and our network peripherals are as up to date as possible. We will also want
to assess the health of our servers and server operating systems.”
“Desktop and server software. I think we need to perform a health check for the local
machines and take an inventory of other information systems as a first step. The
communication between software across the organization is complex, and we need to
ensure that everything works and is thoroughly tested. The last thing we want is to lose
availability of the network because of software upgrades. Another factor with software
is the cost of licensing both desktop and server software. This can be a big consideration
as we plan the transition to TLS.”
“Personnel: Implementing TLS requires personnel who are trained in the technical
complexities required to complete this task. These personnel need to know why
implementing TLS is important and also how to implement it.”
3.3 Desktop and server software
Supervisor: “Great point! While software considerations are important, I think they are
secondary to hardware considerations because hardware is the first major component we will
focus on when upgrading to TLS. We need the underlying infrastructure in place before making
the move. Hardware upgrades have their own challenges and need to be completed first.
Software is an important consideration because, once the right infrastructure is in place, the
correct software is also required for TLS implementation.” Try selecting a different response.
Published by Articulate® Storyline www.articulate.com
3.4 Personnel
Supervisor: “Great point! While having the right personnel is key, I would argue that this is the
third priority of the choices provided. Having the right personnel is an important consideration,
along with being able to identify the right skill set needed, but having the proper infrastructure
in place is the most important consideration.” Try selecting a different response.
3.5 Hardware
Supervisor: “I agree! This should be our highest priority consideration when transitioning to TLS.
While it is important to take hardware, software, and personnel into consideration, hardware is
the most important because having the infrastructure to run TLS is essential.”
Published by Articulate® Storyline www.articulate.com
Challenge Review
Your previous suspicions were aligned with what the incident response team discovered during
its investigation. Your initial step of notifying your supervisor was key to having a timely
response to the incident. The incident response team agreed that migrating from SSL to TLS is a
part of the solution.
4. Challenge Four
4.1 Challenge Four
Supervisor: “Thanks for all of your help in identifying the breach and making recommendations
for the remediation! We have successfully implemented TLS, and SSL has been removed from
the system. Moving forward, what are your thoughts on what happens now that the upgrade
has been implemented?” Below are the possible answers:
●
●
●
“We can continue business as usual because updates have been made and vulnerability
has been remediated.”
“We should reevaluate security policies.”
“We should conduct a security audit.”
Published by Articulate® Storyline www.articulate.com
4.2 “We can continue business as usual because updates have been made and vulnerability
has been remediated.”
Supervisor: “I disagree. While we may be tempted to continue business as usual after
implementing updates to remediate a vulnerability, it is really important to conduct a security
audit to uncover any unintended consequences of those updates and to reevaluate our system
health.” Try selecting a different response.
4.3 “We should reevaluate security policies.”
Supervisor: “Great point! This is an important step in implementing new solutions, but I think
that conducting a security audit should be our first priority because we could uncover
unintended consequences from the changes.” Try selecting a different response.
Published by Articulate® Storyline www.articulate.com
4.4 “We should conduct a security audit.”
Supervisor: “I agree! Conducting a security audit should be our first priority. By conducting the
security audit, we will perform an evaluation of all systems, which may uncover other issues
from implementation of the vulnerability remediation.”
Breach Analysis Simulation Scenario One Summary
Nice work! This activity is meant to enhance your knowledge about managing a breach by
exploring choices that you could make during a given scenario. It is important that during a
breach you remain calm and stick to the incident response plan. The knowledge gained from this
assignment will help you to form a baseline of cyber defense strategies and your systems
thinking mindset.
Published by Articulate® Storyline www.articulate.com
Purchase answer to see full
attachment
