1. Mitigating PII Leakage at a Federal Gun Store and Pawn Shop
Team/Students: Ivonne Yeste and Thomas Krawczyk | Business Advisor: Lou Jones | Professor: Dr. Yair Levy, Professor of IS & Cybersecurity
Introduction
Risk Management Analysis (RMA)
Anticipated Results
Problem Definition
Fact Gathering
Project Scope, Goals, and Objectives
Recommended Solution and Action Plan
Proposed Costs
Conclusion
Federal Gun Store and Pawn Shop has no formal information technology (IT)
policies or procedures in place. Employees are not trained regarding PII risks
and proper handling. Hardware and software resources are not appropriately
secured against a PII breach. There is no regular risk assessment or ongoing
monitoring and auditing of IT resources to ensure risks are appropriately
identified and mitigated.
Federal Gun Store and Pawn Shop employs up to five full-time employees and
several part-time employees seasonally. The existing IT infrastructure consists of
five computers in the gun store and two computers in the pawnshop. There is no
firewall. The wireless network has a password but does not use encryption.
Updates are set to auto-download. There is no audit process in place to ensure
these are applied successfully. Anti-virus is in use; however, the subscription has
expired. Accordingly, updates are not applied in a regular fashion. In addition,
anti-malware and spyware detection software is not in use. During transactions,
PII is collected manually, faxed or emailed without encryption.
Center for Information Protection, Education, and Research (CIPhER)
http://InfoSec.nova.edu/
College of Engineering
And Computing (CEC)
The scope of this project is to propose a solution that will identify and mitigate
the security risks at Federal Gun Store and Pawn Shop. The goals are to assess
the security environment and deliver a solution including creation and
implementation of policies, procedures, security training and physical
improvements to reduce the risk of PII data loss. The overall objective is to
reduce the risk through immediate improvements, continuous ongoing review,
and the mitigation of security risks.
The risk management analysis used by this team is a hybrid approach between the
NIST Cybersecurity Framework and a Microsoft security risk management (Microsoft
Security Center of Excellence, 2006). This hybrid approach was selected to offer the
business owner a simplified process for ongoing security assessment and mitigation
after the initial engagement.
The NIST Cybersecurity Framework (2014) is a set of industry standards and best
practices to help organizations manage cybersecurity risks; it focuses on the use of
business drivers to guide cybersecurity activities and consideration of cybersecurity
risks as part of the organization’s risk management processes. While the framework
has three distinct sections, this risk analysis will utilize two of the three sections, the
Core and Profile. The Core is a set of cybersecurity activities, outcomes, and
informative references common across critical infrastructure sectors, providing the
detailed guidance for developing individual organizational Profiles. Through use of
the Profiles, the Framework will help the organization align cybersecurity activities
with business requirements, risk tolerances, and resources (NIST, 2014). In order to
be effective, this process must be ongoing.
The Microsoft security risk management guide describes three distinct tasks for
conducting summary level risk prioritization (Microsoft Security Center of Excellence,
2006): Determine Impact Level, Estimate Summary Level Probability, and Complete
the Summary Level Risk List.
The recommended solution is a consulting engagement for policy and procedure
development, security training, implementation of Secure Open PII, and
automated system and software updates. Additionally, physical IT improvements
include installation of a comprehensive Next Generation Firewall (NGFW)
solution incorporating antivirus, antimalware, antispyware, intrusion detection
and prevention and other advanced features as well as an encrypted wireless
network. Also included is post-implementation monthly monitoring and quarterly
ongoing security reviews and risk mitigation.
After implementation of the recommended solution, the anticipated results will
include: the delivery of a solution including creation and implementation of
policies, procedures, security training for both the management as well as the
employees. It will also include implementation of physical IT improvements to
reduce the risk of PII data loss. Also, included is post-implementation monthly
monitoring and quarterly ongoing security reviews, along with risk mitigation. This
is anticipated to have the biggest impact on lowering internal risks, and
implementation of appropriate technology, which is expected to reduce the risk of
external breaches..
The solution includes initial assessment, policy and procedure creation, training,
and implementation. Also included is post-implementation monthly monitoring
and quarterly ongoing security reviews and risk mitigation.
This proposal for Federal Gun Store and Pawn Shop addresses the need for a
solution for policies, procedures, training, and infrastructure improvements in
order to reduce the risk of breaches. This proposal incorporates solutions to
mitigate internal risks in the handling of PII data as well as minimizing exposure
to external risks. In addition, it also recommends a process of evaluating the
security on a quarterly basis to provide a continuous process for reviewing the
stores security posture.
References
Department of Homeland Security (DHS). (2012). Handbook for Safeguarding Sensitive PII. Washington, D.C:
DHS.
Department of Justice, Federal Bureau of Investigation. (2011). NICS Section Federal Firearms Licensee Users
Manual. Retrieved from Department of Justice, Federal Bureau of Investigation.
Fowler, G., & Worthen, B. (2011, July 21). Hackers Shift Attacks to Small Firms. Retrieved Fenruary 20, 2016, from
www.wsj.com: http://www.wsj.com/articles/SB10001424052702304567604576454173706460768
Microsoft Security Center of Excellence. (2006). Security Risk Management Guide. Retrieved January 28, 2016,
from Microsoft: https://technet.microsoft.com/en-us/library/cc163143.aspx
Milliken, B. (2016, January 24). It’s True! Your Small Business Is A Perfect Target For Hackers. Retrieved from
LinkedIn: https://www.linkedin.com/pulse/its-true-your-small-business-perfect-target-hackers-bob-
milliken?articleId=6008827995698057216
National Cyber Security Alliance and Symantec. (2016, January 24). 2012 NCSA/Symantec Small Business Study
Fact Sheet. Retrieved from Stay Safe Online: http://www.staysafeonline.org/stay-safe-online/resources
National Institute of Standards and Technology. (2014, February 12). Framework for Improving Critical
Infrastructure Cybersecurity. Retrieved January 28, 2016, from NIST:
http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf
PricewaterhouseCoopers LLP. (2010). Protect your organization’s sensitive information and reputation with high-
risk data discovery. Retrieved January 30, 2016, from http://www.pwc.com/us/en/it-risk-security/assets/high-
risk-data-discovery.pdf
U.S. Department of Homeland Security. (2011, May). How to Safeguard Personally Identifiable Information.
Retrieved February 20, 2016, from Department of Homeland Security:
https://www.dhs.gov/xlibrary/assets/privacy/privacy_safeguarding_pii_fact_sheet.pdf
University of Texas at Austin Center for Identity. (2016, January). Top Threats & Responsibilities for Small
Businesses. Retrieved January 30, 2016, from https://identity.utexas.edu/small-businesses/top-threats-
responses-for-small-businesses
Small businesses are increasingly becoming a target for criminals where
personally identifiable information (PII) best practices are not followed (University
of Texas, 2016, ¶1). Examples of PII include Social Security number (SSN), alien
registration number (A-Number), driver's license number, financial information,
citizenship, immigration status, or medical information in conjunction with the
identity of an individual (Department of Homeland Security (DHS), 2012).
Because of the lack of controls around PII, hackers are targeting easier and
more profitable thefts from small businesses. These small businesses have
generally lax to non-existent security systems making it easy for quick money
(Milliken, 2016). A result of these breaches is failure of the business due to loss
of data and customer confidence (National Cyber Security Alliance and
Symantec, 2016). Federal Gun Store and Pawn Shop, is a popular retail gun
store with an adjacent high traffic pawnshop. Due to the volume of PII collected,
there is special interest in securing this information to minimize the risk of a
breach.
Figure 1: NIST Cybersecurity Framework
Function/Category
Subcategory Description Likelihood Impact Risk
Protect/Access
Control/PR.AC-1
Employees do not have unique
system logins Medium Moderate Medium
Identify/Governance/ID
.GV-1
Lack of written policies
High Moderate High
Protect/Protective
Technology/PR.PT-3
Limit access to any system
resources High Moderate High
Protect/Protective
Technology/PR.PT-4
No firewall, intrusion
detection, active antivirus,
anti-malware, encryption
High Critical Critical
Protect/Information
Protection/PR.IP-5
Open access to PII
High Critical Critical
Protect/Information
Protection/PR.IP-12
No Patch Management
High Moderate High
Protect/Awareness and
raining/PR.AT-1
Users not trained on security
best practices High Moderate High
Table 1: Risk Analysis Matrix
Table 2: Proposal Cost Analysis
Description Initial One Time Costs Ongoing Costs
SonicWALL NGFW & WAP $1,700 $300 - Yearly
Consulting services
40 hours @ $150/hour
4 hour quarterly update @
$150/hour
$6,000 $2,400 (Four hour security
review every quarter)
Managed Services @
$75/hour
- Eight hours monthly
$7,200
Total $7,700 $9,900