ISE 510 Final Project Scenario
Background
Limetree Inc. is a research and development firm that engages in multiple research projects with the
federal government and private corporations in the areas of healthcare, biotechnology, and other
cutting-edge industries. It has been experiencing major growth in recent years, but there is also a
concern that information security lapses are becoming rampant as the company grows. Limetree Inc. is
working to establish a strong reputation in the industry, and it views a robust information security
program as part of the means to achieving its goal. The company looks to monitor and remain compliant
to any regulation impacting its operations.
Limetree Inc. recently experienced a security breach; it believes confidential company data has been
stolen, including personal health information (PHI) used in a research study. Limetree Inc. believes the
breach may have occurred because of some security vulnerabilities within its system and processes.
Limetree Inc.’s virtual environment is presented in the Agent Surefire: InfoSec educational video game.
The rest of the environment is presented via an interview with the security manager, Jack Sterling.
Highlight of Interview with Jack Sterling
Interview with Jack Sterling revealed the following about Limetree Inc.’s system and processes:
Hardware/Software:
Desktop Apps: Internet Explorer, Firefox, Google Chrome, MS Office, Adobe Flash, Adobe Acrobat
Applications/Databases:
Browser – Browser in use is Internet Explorer and browser security setting was set to low.
Browsers allow remote installation of applets, and there is no standard browser for the
environment.
Virus Software – MacAfee is deployed locally on each user's machine and users are mandated to
update their virus policy every month.
SQL Database – Ordinary users can escalate privilege via SQL Agent. Disk space for SQL database
log is small and is overwritten with new information when it is full. Limetree Inc. is not using any
encryption for sensitive data at rest within the SQL server environment.
Network:
The network comprises the following: three web/applications servers, three email servers, five file and
printer servers, two proxy servers, seven remotely manageable Cisco switches, 250 desktops, three
firewall devices, one gateway (router) device to the internet, and three wireless access points.
Configuration Highlights:
Wireless – Wireless network is available with clearly advertised SSID, and it is part of the local
area network (LAN). There is no segmentation or authentication between the wireless and wired
LAN. Visitors are provided access code to the wireless network at the front desk to use the
internet while they wait to be attended to.
Managed switches – There is no logging of network activities on any of the switches.
Web server – Public-facing web server is part of the LAN. This is where internet users get
needed .
ISE 510 Final Project Scenario Background Limetree In.docx
1. ISE 510 Final Project Scenario
Background
Limetree Inc. is a research and development firm that engages
in multiple research projects with the
federal government and private corporations in the areas of
healthcare, biotechnology, and other
cutting-edge industries. It has been experiencing major growth
in recent years, but there is also a
concern that information security lapses are becoming rampant
as the company grows. Limetree Inc. is
working to establish a strong reputation in the industry, and it
views a robust information security
program as part of the means to achieving its goal. The
company looks to monitor and remain compliant
to any regulation impacting its operations.
Limetree Inc. recently experienced a security breach; it believes
confidential company data has been
stolen, including personal health information (PHI) used in a
research study. Limetree Inc. believes the
breach may have occurred because of some security
vulnerabilities within its system and processes.
Limetree Inc.’s virtual environment is presented in the Agent
Surefire: InfoSec educational video game.
The rest of the environment is presented via an interview with
the security manager, Jack Sterling.
Highlight of Interview with Jack Sterling
Interview with Jack Sterling revealed the following about
2. Limetree Inc.’s system and processes:
Hardware/Software:
Desktop Apps: Internet Explorer, Firefox, Google Chrome, MS
Office, Adobe Flash, Adobe Acrobat
Applications/Databases:
– Browser in use is Internet Explorer and browser
security setting was set to low.
Browsers allow remote installation of applets, and there is no
standard browser for the
environment.
– MacAfee is deployed locally on each user's
machine and users are mandated to
update their virus policy every month.
– Ordinary users can escalate privilege via
SQL Agent. Disk space for SQL database
log is small and is overwritten with new information when it is
full. Limetree Inc. is not using any
encryption for sensitive data at rest within the SQL server
environment.
Network:
The network comprises the following: three web/applications
servers, three email servers, five file and
printer servers, two proxy servers, seven remotely manageable
Cisco switches, 250 desktops, three
firewall devices, one gateway (router) device to the internet,
and three wireless access points.
Configuration Highlights:
3. – Wireless network is available with clearly
advertised SSID, and it is part of the local
area network (LAN). There is no segmentation or authentication
between the wireless and wired
LAN. Visitors are provided access code to the wireless network
at the front desk to use the
internet while they wait to be attended to.
naged switches – There is no logging of network activities
on any of the switches.
– Public-facing web server is part of the LAN.
This is where internet users get
needed information on the company. The web servers are
running the following services in
addition: File & Print Services, Telnet, IIS.
– Firewall configuration is very secure, and the
logs are reviewed when there is
suspicion of a security event. The following files types are
allowed for inbound connection: EXE,
DOC, XML, VBS. In addition, Telnet and FTP are allowed for
inbound connection.
– Users determine the length of the password and
complexity, but it is mandatory to
change password once a year.
ed by the IT
manager and users are notified
immediately once the changes are implemented.
4. Documentation:
I. There is no documented security policy, or computer use
policy.
II. There is no documented process for changes to the system.
III. There is no contingency plan.
System Backup:
I. Backup is conducted daily by the network administrator, and
tapes are kept safely in the
computer room.
Personnel/Physical Security:
I. While users are not trained on security awareness, emails go
out every month from the system
administrator warning users of emerging threat.
II. Visitors sign in at the front desk before they are allowed to
walk in to see employees at their
respective offices.
III. Remote employees connect via virtual private network.
Their laptops are configured exactly as
the desktops in the office with unencrypted hard drives.
IV. Often users are allowed to bring in their own laptops,
connect to corporate system, and
complete their tasks, especially if they are having issues with
laptops provided by the company.
5. Incident Response:
At Limetree Inc., systems administrators are notified of
computer incidents, and the administrators
escalate to the IT manager, who reports incidents to the security
manager if they are deemed relevant.
Currently there is no official documented process of reporting
incidents. There is also no previous
documented history of incidents, even though Limetree Inc. has
experienced quite a few. Corrective
measures are taken immediately after an incident, though none
of the measures was ever documented.
ISE 510 Video Game Assignment Guidelines and Rubric
Prompt: In Module Three, you will play the Agent Surefire:
InfoSec game, which is an extension of the risk assessment
project (final project) scenario. You will
complete your final project based on the information you
discover about physical vulnerabilities here. You should
discover, assess, and document at least seven
security vulnerabilities within the virtual environment.
Correctly categorize each vulnerability based on the methods
specified in the game. The virtual
environment should be viewed as part of the system described in
your final project.
Detailed instructions will be provided once you access the
game. This activity can be expected to take about 45 minutes to
an hour. You are not required to play
6. the game to its conclusion (although you might want to!). The
purpose of this game play is to discover physical vulnerabilities
that you can use for your final
project.
Access the game on the Jones & Bartlett Learning website here.
Guidelines for Submission: Submit your documented security
vulnerabilities to your instructor in Blackboard via the
submission link for this assignment.
Instructor Feedback: This activity uses an integrated rubric in
Blackboard. Students can view instructor feedback in the Grade
Center. For more information,
review these instructions.
Critical Elements Exemplary (100%) Proficient (90%) Needs
Improvement (70%) Not Evident (0%) Value
Discover, Assess, and
Document at Least
Seven Security
Vulnerabilities
Meets “Proficient” criteria and
expertly discovers, assesses, and
documents a minimum of seven
security vulnerabilities
Discovers, assesses, and
correctly documents five or six
security vulnerabilities
Discovers, assesses, and
7. correctly documents three or
four security vulnerabilities
Two or fewer security
vulnerabilities are correctly
discovered, assessed, and
documented
60
Categorize Each
Vulnerability
Meets “Proficient” criteria and
correctly categorizes a minimum
of seven security vulnerabilities
Correctly categorizes five or six
security vulnerabilities
Correctly categorizes three or
four security vulnerabilities
Two or fewer security
vulnerabilities are correctly
identified
30
Articulation of
Response
Submission is free of errors
related to grammar, spelling,
syntax, and organization and is
8. presented in a professional and
easy-to-read format
Submission has no major errors
related to grammar, spelling,
syntax, or organization
Submission has major errors
related to grammar, spelling,
syntax, or organization that
negatively impact readability
and articulation of main ideas
Submission has critical errors
related to grammar, spelling,
syntax, or organization that
prevent understanding of ideas
10
Total 100%
https://moodle.jblcourses.com/course/view.php?id=2267
http://snhu-
media.snhu.edu/files/production_documentation/formatting/rubr
ic_feedback_instructions_student.pdf