This is a CST 630 9040 Advanced Cyber Exploitation and Mitigation Methodologies (2228) Project 1
Topic: Security assessment report (SAR)
Please write 13 pages of the Security assessment report (SAR) by strictly following the assignment instructions/steps and video scenario attached to the order. The page count does not include figures, diagrams, tables, or citations. The report should be double-spaced with citations in APA format.
Here is the link for the video scenario: https://youtu.be/DfcKbOaPY9k
The steps are as follows:
Many companies and agencies conduct IT audits to test and assess the rigor of IT security controls in order to mitigate risks to IT networks. Such audits meet compliance mandates by regulatory organizations.
Federal IT systems follow Federal Information System Management Act (FISMA) guidelines and report security compliance to US-CERT, the United States Computer Emergency Readiness Team, which handles defense and response to cyberattacks as part of the Department of Homeland Security. In addition, the Control Objective for Information Technology (COBIT) is a set of IT security guidelines that provides a framework for IT system security in the commercial sector.
These audits are comprehensive and rigorous, and negative findings can lead to significant fines and other penalties. Therefore, industry and federal entities conduct internal self-audits in preparation for actual external IT audits, and compile security assessment reports.
Step 1: Conduct a Security Analysis Baseline
In the first step of the project, you will conduct a security analysis baseline of the IT systems, which will include a data-flow diagram of connections and endpoints, and all types of access points, including wireless. The baseline report will be part of the overall security assessment report (SAR).
You will get your information from this data-flow diagram and report, which is generated by the Microsoft Threat Modeling Tool 2016. The scope should include network IT security for the whole organization.
Include the following areas in this portion of the SAR:
• Security requirements and goals for the preliminary security baseline activity.
• Typical attacks to enterprise networks and their descriptions. Include Trojans, viruses, worms, denial of service, session hijacking, and social engineering. Include the impacts these attacks have on an organization.
• Network infrastructure and diagram, including configuration and connections. Describe the security posture with respect to these components and the security employed: local area network (LAN), metropolitan area network (MAN), wide area network (WAN), enterprise. Use these questions to guide you:
o What are the security risks and concerns?
o What are ways to get real-time understanding of the security posture at any time?
o How regularly should the security of the enterprise network be tested, and what type of tests should be used?
o What are the processes in play, or to be established to respond to an incident?
o Workforce skill is a critical success factor in any security program, and any security assessment must also review this component. Lack of a skilled workforce could also be a security vulnerability. Does the security workforce have the requisite technical skills and command of the necessary toolsets to do the job required?
o Is there an adequate professional development roadmap in place to maintain and/or improve the skill set as needed?
o Describe the ways to detect these malicious codes and what tactics bad actors use for evading detection.
• Public and private access areas, web access points. Include in the network diagram the delineation between open and closed networks, where they coexist, and show the connections to the internet.
• Physical hardware components. Include routers and switches. What security weaknesses or vulnerabilities are within these devices?
• Operating systems, servers, network management systems as they relate to data in transit vulnerabilities:
o endpoint access vulnerabilities
o external storage vulnerabilities
o media access control and Ethernet vulnerabilities
o virtual private network vulnerabilities
• Possible applications. This network will incorporate a BYOD (bring your own device) policy in the future. The IT auditing team and leadership need to understand current mobile applications and possible future applications and other wireless integrations. You will use some of this information in Project 2 and also in Project 5.
The overall SAR should detail the security measures needed, or implementation status of those in progress, to address the identified vulnerabilities. Include:
Through your research, provide the methods used to provide the protections and defenses.
From the identification of risk factors in the risk model, identify the appropriate security controls from NIST SP 800-53A and determine their applicability to the risks identified.
The baseline should make up at least three of the 13 pages of the overall report.
When you have completed your security analysis baseline, move on to the next step, in which you will use testing procedures that will help determine the company’s overall network defense strategy.
Step 2: Determine a Network Defense Strategy
You’ve completed your initial assessment of the company’s security with your baseline analysis. Now it’s time to determine the best defenses for your network.
Start by reading a publication by the National Institute of Standards and Technology, Special Publication 800-115, Technical Guide to Information Security Testing and Assessment, and outline how you would test violations. Identify how you will assess the effectiveness of these controls and write test procedures that could be used to test for effectiveness. Write them in a manner to allow a future information systems security officer to use them in preparing for an IT security audit or IT certification and accreditation. Within this portion of the SAR, explain the different testing types (black, white, and gray box testing).
Black, White, and Gray Box Testing
In vulnerability testing, ethical hacking, or penetration testing (pen testing), the black, white, and gray colors, though metaphorical, are known to most security professionals in the cybersecurity domain. While none is superior to the others, it’s crucial to choose the right approach for a particular purpose in specific settings.
Black box testing is a useful form of penetration testing to help determine vulnerabilities and points of weakness across an organization’s network. Black box testing attempts to simulate a real-world scenario where an attacker might not have full insight into the client’s network.
The black box testing model operates with limited transparency for a penetration test. The hacker has no knowledge of the organization’s network architecture, and only a few of the security professionals are aware of the test in progress. The black box model of penetration testing attempts to simulate a real-life attack, where hackers would not have knowledge of the organization’s network or security policies.
The black box model of ethical hacking can be split into five main phases: reconnaissance, service determination, enumeration, gaining access, and privilege escalation (Hafele, 2004).
• Reconnaissance: Initial reconnaissance can provide a wealth of information about the target and can be performed using “readily available public information” (Hafele, 2004). Social engineering is also a method of finding out information about the client.
• Scanning phase or service determination: Occurs when the ethical hacker is listening to various ports across an organization’s network to determine information such as operating systems and potential vulnerabilities.
• Enumeration: Penetration testers continue to determine information about network devices such as routers, switches, and servers in the enumeration phase as they scan for vulnerabilities.
• Gaining access: During this phase, the penetration tester will attempt to compromise systems using cyberattack strategies. Some of these attack strategies involve password cracking, buffer overflow, SQL injection, and denial-of-service attacks.
• Privilege escalation: Once an ethical hacker has gained access to the organization’s systems, the hacker’s next goal is to attain administrator or root-level permissions. With these permissions, hackers can plant malware that can spread easily across the network. Hackers use rootkits to mask detection and/or a backdoor to maintain entry to the target.
White box testing, like black box testing, is also one of the primary strategies used by ethical hackers to see ways to defend networks.
The white box model treats the penetration testing team as insiders with knowledge of the organization’s network and security policy. Organizations opt for the white box testing model for efficient use of time and money. Using a penetration testing team with insider knowledge of the target network can greatly reduce the amount of time and money to complete this task.
White box testing focuses on the insight and expertise of three primary groups within an organization: upper management, technical support management, and human resources working with legal representatives (Hafele, 2004).
Upper management works closely with the penetration team to provide information about the company’s security policy, corporate structure, and process flows. Upper management provides a holistic set of viewpoints that the penetration testing team can use to gain further information about the client. Finally, upper management works with the pen test team to create the much-needed rules of engagement that define the targets and the extent of any breaches that will be made during the test.
Technical support management provides the pen test team with information about technical areas such as physical and logical topologies, firewalls, routers, switches, antivirus software, patch management systems, and other similar information. Another area where technical support management plays a large role is in the security evaluation during and after the penetration test.
Human resources and the company’s legal department help ensure the test runs smoothly and ensure there will be no legal issues with breaches made during the penetration test.
White box testing attempts to reduce time and monetary investment by using an ethical hacking team with insight into an organization’s security strategy.
If the black box testing treats the network being tested as completely “opaque” with the tester (or the auditor) left with no a prior knowledge of the inner workings of the network or system, and if the white box testing allows complete knowledge (“transparency”) of the internal architecture of the network/system, then the gray box counterpart allows limited knowledge. This implies that the limited information on the internal network is provided to the testing group to help guide the members in their strategy to thoroughly focus on the selected area being tested. The gray approach mitigates the disadvantages that white and black box testing techniques bring.
Hafele, D. M. (2004, February 23). Three different shades of ethical hacking. https://www.sans.org/reading-room/whitepapers/hackers/shades-ethical-hacking-black-white-gray-1390+&cd=1&hl=en&ct=clnk&gl=us
Include these test plans in the SAR. The strategy should take up at least two of the 13 pages of the overall report.
Click the following link to learn more about cybersecurity for process control systems.
After you’ve completed this step, it’s time to define the process of penetration testing. In the next step, you’ll develop rules of engagement (ROE).
Step 3: Plan the Penetration Testing Engagement
Now that you’ve completed your test plans, it’s time to define your penetration testing process. Include all involved processes, people, and time frame. Develop a letter of intent to the organization, and within the letter, include some formal rules of engagement (ROE).
Rules of Engagement (ROE)
Penetration tests are often used to identify existing vulnerabilities in an entity’s network or system, and are performed by skilled and trusted security professionals. These tests can range from simple vulnerability scans of the network to exploiting vulnerabilities that compromise systems. These results are properly documented and presented to corporate leadership and system owners to improve the cybersecurity posture of an organization.
Penetration testing can cause unforeseen complications such as network traffic congestion and system downtime, and may cause the same vulnerabilities and compromises it was designed to prevent. Due to the potential consequences of penetration testing, it is vital to create a comprehensive rules of engagement (ROE) before carrying out the test.
Regardless of who performs the penetration test, parameters identifying who will be made aware of the testing and what actions will be performed must be determined. According to FedRAMP’s penetration test guidance, the ROE must account for affected systems and targetable ranges, the acceptable means of social engineering, and the testing timeframe. Penetration testers and system administrators must agree on a scope, testing schedule, methodology, and overall test plan (FedRAMP).
Rules of Engagement Items:
o i.e., sites chosen for testing
• Evidence handling
o i.e., encryption, sanitization
• Regular status meetings
o discuss: plans, progress, problems
• Time of the day to test
• Permission to test
• Legal considerations
The rules of engagement are important to provide a successful penetration test.
FedRAMP Program Management Office. (2015, July 6). FedRAMP penetration testing guidance. https://www.fedramp.gov/files/2015/01/FedRAMP-PenTest-Guidance-v-1-0.pdf
The process and any documents can be notional or can refer to actual use cases. If actual use cases are included, cite them using APA format.
This portion should be about two pages of the overall 13-page report.
After you have outlined the steps of a penetration testing process, in the next step you will perform penetration testing. During the testing, you will determine if the security components are updated and if the latest patches are implemented, and if not, determine where the security gaps are.
Step 4: Conduct a Network Penetration Test
You’ve defined the penetration testing process, and in this step, you will scan the network for vulnerabilities. Though you have some preliminary information about the network, you will perform a black box test to assess the current security posture. Black box testing is performed with little or no information about the network and organization.
To complete this step, you will use industry tools to carry out simulated attacks to test the weaknesses of the network.
Step 5: Complete a Risk Management Cost Benefit Analysis
You’ve completed the penetration testing, and now it’s time to complete your SAR with a risk management cost benefit analysis. Within this analysis, think about the cost of violations and other areas if you do not add the controls. Then add in the cost for implementing your controls.
When you have finished with the cost benefit analysis, which should be at least one page of your overall report, move to the final step, which is the completed SAR.
Step 6: Compile and Submit the SAR and Lab Report
You have completed comprehensive testing in preparation for this audit, provided recommended remediations, and developed a set of recommendations. Now you are ready to submit your SAR.