SlideShare a Scribd company logo

How the US Military does Risk Management is a little different wha.docx

Download as DOCX, PDF
W
wellesleyterresa

How the US Military does Risk Management is a little different what we have seen thus far. The notable difference is the selection of the controls. The process we have seen usually begins by identifying the threats and vulnerabilities to which specific controls are selected. The US Military, on the other hand, first defines the system category based on the impact of confidentiality, integrity, and availability (STEP 1 in figure). From there, it MUST use the controls needed to meet the system category! (STEP 2 in figure).  This removes the arguments over what controls should or should not be implemented. As an example, I had a Public-Facing website with low confidentiality, integrity, and availability requirements and we had to implement 107 controls. This approach is clever in that I don’t need to estimate probabilities or likelihood of threats/vulnerabilities – I just include the proper suite of controls. (In fact, there are 3 sets of possibilities in each group: 3x confidentiality, 3x integrity, and 3x availability equals 27 possible outcomes – and each outcome had a particular set of controls; but the idea is the same). Week 2: Your initial post should be at least 250 words. PICK Fannie Mae: discuss with the class how your choice impacts real estate finance. Pay particular attention to their underwriting standards, underwriting tools, and overall organization.  +++++++++++++++++++++++++++++++++++++++++++++++ Week 3: Your initial post should be at least 250 words. What do we mean by a "mortgage program"? PICK: Variable interest rate loans and discuss with the class how your choice differs from traditional 30 year loans. Be sure to explain the rationale behind the difference, and explain the pros and cons of Variable interest rate loans ++++++++++++++++++++++++++++++++++++++++++++ Week 3: Your initial post should be at least 250 words Review these questions and determine what the historic relationship between interest rates and home ownership was, and what it appears to be in the current housing slump.  What happens to an individual's capacity to borrow as mortgage interest rates fluctuate? How did extremely low interest rates in 2004 and 2005, then rapidly rising rates in 2006 impact home sales? (Hint: Try to find some data on the web that correlates unit home sales with interest rates). What happens to home prices as interest rates fluctuate? Have home prices recovered since rates have fallen since then to record lows in late 2010 and beyond? What happens to DOM (Days on the Market) - or how long it takes to sell the average home - as rates go up and down? The Breach at Limetree Updated November 18, 2017 Background: Limetree Inc. is a research and development firm that engages in multiple research projects with the federal government and private corporations in the areas of healthcare, biotechnology, and other cutting-edge industries Limetree recently lost a DOD contract worth millions of dollars, because anothe ...

Education
1 of 20
How the US Military does Risk Management is a little different what we have seen thus far. The notable difference is the selection of the controls. The process we have seen usually begins by identifying the threats and vulnerabilities to which specific controls are selected. The US Military, on the other hand, first defines the system category based on the impact of confidentiality, integrity, and availability (STEP 1 in figure). From there, it MUST use the controls needed to meet the system category! (STEP 2 in figure). This removes the arguments over what controls should or should not be implemented. As an example, I had a Public-Facing website with low confidentiality, integrity, and availability requirements and we had to implement 107 controls. This approach is clever in that I don’t need to estimate probabilities or likelihood of threats/vulnerabilities – I just include the proper suite of controls. (In fact, there are 3 sets of possibilities in each group: 3x confidentiality, 3x integrity, and 3x availability equals 27 possible outcomes – and each outcome had a particular set of controls; but the idea is the same). Week 2: Your initial post should be at least 250 words. PICK Fannie Mae: discuss with the class how your choice impacts real estate finance. Pay particular attention to their underwriting standards, underwriting tools, and overall organization. +++++++++++++++++++++++++++++++++++++++++++++++ Week 3: Your initial post should be at least 250 words. What do we mean by a "mortgage program"?
PICK: Variable interest rate loans and discuss with the class how your choice differs from traditional 30 year loans. Be sure to explain the rationale behind the difference, and explain the pros and cons of Variable interest rate loans ++++++++++++++++++++++++++++++++++++++++++++ Week 3: Your initial post should be at least 250 words Review these questions and determine what the historic relationship between interest rates and home ownership was, and what it appears to be in the current housing slump. What happens to an individual's capacity to borrow as mortgage interest rates fluctuate? How did extremely low interest rates in 2004 and 2005, then rapidly rising rates in 2006 impact home sales? (Hint: Try to find some data on the web that correlates unit home sales with interest rates). What happens to home prices as interest rates fluctuate? Have home prices recovered since rates have fallen since then to record lows in late 2010 and beyond? What happens to DOM (Days on the Market) - or how long it takes to sell the average home - as rates go up and down? The Breach at Limetree Updated November 18, 2017 Background: Limetree Inc. is a research and development firm that engages in multiple research projects with the federal government and private
corporations in the areas of healthcare, biotechnology, and other cutting-edge industries Limetree recently lost a DOD contract worth millions of dollars, because another competitor claimed to have “superior chemical process that brought about the desired results in half the time, with over seventy-five percent more yield than conventional technologies.” This contract loss troubled Limetree Inc. management because Limetree has been working on that exact same technology for years and they suspect that it’s no mere coincidence that a competitor has claimed their proprietary process for their own. The management then asked Jack Sterling, Limetree’s security manager, to investigate if there were any IT related security problems that could shed some light on the possibility of an insider threat. Jack performed an unannounced sweep of the office area and found serious problems. There were poor security practices with every workstation, such as unauthorized external hard- drives & USBs, passwords under mouse pads, unlocked displays, unauthorized software, obvious phone PINs, wireless passwords on bulletin boards, and improper destruction of sensitive documents. Jacks’ investigation lead him to three suspects: Jamie Kim at workstation #14 because her external hard-drive had the same proprietary processes files as was leaked to the competitor; Duncan Harris at workstation #11 because he had a USB with deleted files that also had the
proprietary processes leaked; Steve Kim at workstation #4 because he had passwords and usernames of Jamie Kim on a partially shredded paper in the trash. No other employees had any file or potential access to the files that contained the proprietary processes. Jack also conducted a review of the access logs on the server to rule out any unwarranted wireless access from in or outside the facility. There were several unauthorized users using the wireless resource, but no access to the servers. Logs on the servers themselves revealed unauthorized directory traversals and DNS poisoning but these attacks were not in the narrow timeframe that the insider sold the proprietary process. Jack then navigated to the folder that the proprietary process was kept and observed there was no encryption; nor was it isolated on the network. Jack looked up the default password for the CISCO switch and sure enough, it had not been changed on the routers and switches. Jack also ran a root-kit detector and although it didn’t find one, it did show that a backdoor had been planted in the distant past but wasn’t active now. After finding the backdoor, Jack then examined the public-facing webpage and noticed that many of the input fields did not do any data integrity checks. Since that is a poor security practice, he made a mental note to consider common security misconfigurations when he had free time.
Jack went to the telecommunications closet and discovered that the door was unlocked and the AC was broken; it was critically hot in the small room. He also noticed that someone opened a ceiling panel (probably to allow fresh air into the closet). But now Jack wondered if there should be a false ceiling in sensitive area? He made another mental note to go through all the physical security concerns when he had time. Jack went to the main lobby and checked the sign-in visitor sheet. Clearly, the company wasn’t following procedures as there were only a few people that signed in per day, when he knew it should be over 10 people a day. He did notice one thing, and that was the only employee, of the three suspected, Steve Kim was visited by a “Jason Byway” several times. Jack ran simple background checks using social media (Facebook, LinkedIn, & Google) on all ninety-five people entering the facility during the time the leak occurred and only “Jason Byway” was a fake name. Jack decided to run credit report on all three suspects. The scores were: Jamie Kim 650; Duncan Harris 670; Steve Kim 540. Jack confiscated all three employees’ workstations and did a preliminary investigation of the hard drives. Of all the suspected employee’s only Steve Kim had deleted files with the personal health information (PHI) used in a research study. Thus, Jack concluded that Steve Kim stole the information from another employee (Jamie Kim) and was the insider that sold company secrets, probably to get out of financial trouble.
ISE 510 Final Project Scenario Background Limetree Inc. is a research and development firm that engages in multiple research projects with the federal government and private corporations in the areas of healthcare, biotechnology, and other cutting-edge industries. It has been experiencing major growth in recent years, but there is also a concern that information security lapses are becoming rampant as the company grows. Limetree Inc. is working to establish a strong reputation in the industry, and it views a robust information security program as part of the means to achieving its goal. The company looks to monitor and remain compliant to any regulation impacting its operations. Limetree Inc. recently experienced a security breach; it believes confidential company data has been stolen, including personal health information (PHI) used in a research study. Limetree Inc. believes the breach may have occurred because of some security vulnerabilities within its system and processes. Limetree Inc.’s virtual environment is presented in the Agent Surefire: InfoSec educational video game. The rest of the environment is presented via an interview with the security manager, Jack Sterling. Highlight of Interview with Jack Sterling Interview with Jack Sterling revealed the following about Limetree Inc.’s system and processes: Hardware/Software: Desktop Apps: Internet Explorer, Firefox, Google Chrome, MS Office, Adobe Flash, Adobe Acrobat Applications/Databases: Browser – Browser in use is Internet Explorer and browser security setting was set to low. Browsers allow remote installation of applets, and there is no standard browser for the environment.
Virus Software – MacAfee is deployed locally on each user's machine and users are mandated to update their virus policy every month. SQL Database – Ordinary users can escalate privilege via SQL Agent. Disk space for SQL database log is small and is overwritten with new information when it is full. Limetree Inc. is not using any encryption for sensitive data at rest within the SQL server environment. Network: The network comprises the following: three web/applications servers, three email servers, five file and printer servers, two proxy servers, seven remotely manageable Cisco switches, 250 desktops, three firewall devices, one gateway (router) device to the internet, and three wireless access points. Configuration Highlights: Wireless – Wireless network is available with clearly advertised SSID, and it is part of the local area network (LAN). There is no segmentation or authentication between the wireless and wired LAN. Visitors are provided access code to the wireless network at the front desk to use the internet while they wait to be attended to. Managed switches – There is no logging of network activities on any of the switches. Web server – Public-facing web server is part of the LAN. This is where internet users get needed information on the company. The web servers are running the following services in addition: File & Print Services, Telnet, IIS. Firewalls – Firewall configuration is very secure, and the logs are reviewed when there is suspicion of a security event. The following files types are allowed for inbound connection: EXE, DOC, XML, VBS. In addition, Telnet and FTP are allowed for inbound connection. Passwords – Users determine the length of the password and complexity, but it is mandatory to change password once a year. Network configuration changes are determined by the IT manager and users are notified immediately once the changes
are implemented. Documentation: I. There is no documented security policy, or computer use policy. II. II. There is no documented process for changes to the system. III. III. There is no contingency plan. System Backup: I. Backup is conducted daily by the network administrator, and tapes are kept safely in the computer room. Personnel/Physical Security: I. While users are not trained on security awareness, emails go out every month from the system administrator warning users of emerging threat. II. II. Visitors sign in at the front desk before they are allowed to walk in to see employees at their respective offices. III. III. Remote employees connect via virtual private network. Their laptops are configured exactly as the desktops in the office with unencrypted hard drives. IV. IV. Often users are allowed to bring in their own laptops, connect to corporate system, and complete their tasks, especially if they are having issues with laptops provided by the company. Incident Response: At Limetree Inc., systems administrators are notified of computer incidents, and the administrators escalate to the IT manager, who reports incidents to the security manager if they are deemed relevant. Currently there is no official documented process of reporting incidents. There is also no previous documented history of incidents, even though Limetree Inc. has experienced quite a few. Corrective measures are taken immediately after an incident, though none of the measures was ever documented. ISE 510 Final Project Guidelines and Rubric
Overview The final project for this course is the creation of a security breach analysis and recommendations. The relevance of risk assessment cannot be overemphasized as organizations establish or reaffirm their security posture, especially in the wake of overwhelming computer security breaches at many organizations in the United States and around the world, including government agencies. Organizations seek to understand their compliance status for current regulations as well as their vulnerability in order to adopt a proper approach to manage risks. It is equally important to conduct a risk assessment after a system breach has occurred to better understand the threats and the vulnerabilities exploited. For your final project, you will analyze an information security breach that has already occurred. This will place you in the role of a risk assessment expert, coming in to determine how the breach occurred and develop strategies to mitigate against the breach reoccurring. Risk assessment experts can fill the positions of penetration testers, information security auditors, and independent verification and validation analysts, for example. Such roles will continue to gain relevance as organizations and governments continue to move sensitive financial information, personal health information (PHI), and personally identifiable information (PII) across publicly accessible networks and storage devices. For the final project for this course, you will analyze an information security breach provided in the Final Project Scenario document and the educational video game (Agent Surefire: InfoSec) you will play in Module Three. In your analysis, you will discuss how the breach occurred, the incident response processes that were initiated, the impact of the breach, and applicable regulations to the organization. Then, you will develop a security test plan for the breached system and create security controls to ensure that the breach will not reoccur.
The project is divided into three milestones, which will be submitted at various points throughout the course to scaffold learning and ensure quality final submissions. These milestones will be submitted in Modules Three, Five, and Seven. The final product will be submitted in Module Nine. This assessment addresses the following course outcomes: through analysis of security breaches uate incident response processes for their effectiveness in ensuring business continuity in support of organizational goals information security of organizations works, applications, or physical security assessment projects based on established cybersecurity standards website, and network vulnerabilities rganizational culture and communication challenges that could affect cybersecurity risk assessment in a diversified world Prompt Your security breach analysis and recommendations should answer the following prompt: Using your Final Project Scenario and gameplay from the educational video game Agent Surefire: InfoSec that you will complete in Module Three, analyze the information security breach to determine how the breach occurred, evaluate the incident response processes, and assess the impact of the breach and applicable regulations on the business or organization. Then use your analysis to develop a security test plan, security controls to mitigate risk, and recommendations that reduce the impact of organizational culture and communication challenges.
Specifically, the following critical elements must be addressed: I. Introduction: Provide a brief profile of the business or organization that has been attacked, including its organizational goals. In your profile, you could consider the industry in which the business or organization operates and the product or service that is the focus, for example. II. II. Security Breach: In this section, you will analyze one current information security breach, describing the business or organization that has been affected by this breach and explaining how the breach occurred. Specifically, you should: A. Attack Location: Determine what part of the business or organization was attacked by analyzing the security breach that occurred. For example, was the network attacked? Or was the company website hacked? B. Attack Method and Tools: Analyze the security breach to determine the method and tools that were used to effect the attack. In other words, how did the attack occur? C. Vulnerabilities: Based on your analysis, what vulnerabilities of the business or organization were exploited? How were the vulnerabilities discovered? For example, were the vulnerabilities discovered by an employee, a third party, or a customer? III. Incident Response: In this section, you will evaluate the incident response processes that were initiated in response to the breach. Specifically, you should: A. Actions: What incident response actions were initiated to minimize the impact of the breach? In other words, what did the business or organization do to address the vulnerabilities and resume normal system operations after the breach? B. Business Continuity: Evaluate these incident response actions for their effectiveness in allowing the business to resume normal system operations after the breach. In other words, how effective were these incident response actions in ensuring business continuity and supporting the organization’s
goals? IV. Impact: In this section, you will discuss the possible impacts of applicable cybersecurity regulations to the business or organization. Specifically, you should: A. Application: Describe the government and industry regulations that apply to the business or organization in relation to the security breach. For example, what legislation, directives, and policies relate to the security breach? B. Impact: How do these regulations impact the business or organization and its information security? Support your response with specific examples. C. Financial and Legal Implications: Discuss possible financial and legal implications of the security breach for the business or organization. Will the business or organization be subject to any fines or sanctions because of the security breach, for example? V. Security Test Plan: In this section, you will develop a security test plan for the breached system, basing your plan on your analysis of the security breach and established cybersecurity standards such as those from the National Institute of Standards and Technology (NIST). Specifically, you should: A. Scope: Determine the scope of the risk assessment. For example, what assets, threats, and vulnerabilities will need to be addressed? Will the risk assessment need to include networks, applications, or physical security systems? What policies and procedures will need to be reviewed? B. Resources: Document the resources required for the risk assessment. In other words, what do you need to actually do the assessment? C. Hardware and Software: Create a list of system hardware and software within the target of the risk assessment. In other words, what are the parts of the system that you are assessing? D. Tools: Determine the necessary tools for the risk assessment, based the list of system hardware and software you created. VI. Risk Mitigation: In this section, you will create security
controls to ensure that the breach will not reoccur. Specifically, you should: A. Security Controls: Create at least five security controls that mitigate future risks by ensuring that the security breach will not reoccur. These controls can be technical, administrative, or personnel security controls, for example. B. Vulnerabilities: How will the security controls you created mitigate risks by reducing application, website, and network vulnerabilities? C. Evaluation: What are the criteria for measuring the controls to ensure they are properly implemented? In other words, how will the security controls be evaluated? VII. Conclusion: In this section, you will recommend methods to reduce the impact of organizational culture and communication challenges. Specifically, you should: A. Communication: Document interpersonal communication issues encountered within the risk assessment team. How were the issues resolved? B. Organizational Culture: What challenges to organizational culture occurred as a result of the security breach? In your response, consider the impact of the security breach on the reputation of the business or organization. C. Recommendations: What methods can you recommend to reduce the impact of these communication and organizational cultural issues in future risk assessments? Milestones Milestone One: Kickoff Agenda In Module Three, you will submit a kickoff agenda. This milestone will be graded with the Milestone One Rubric. Milestone Two: Test Plan In Module Five, you will submit a test plan. This milestone will be graded with the Milestone Two Rubric. Milestone Three: Incident Response Plan In Module Seven, you
will submit an incident response plan. This milestone will be graded with the Milestone Three Rubric. Final Submission: Security Breach Analysis and Recommendations In Module Nine, you will submit your final project. It should be a complete, polished artifact containing all of the critical elements of the final product. It should reflect the incorporation of feedback gained throughout the course. It should also be structured to follow the outline presented in the Prompt. This submission will be graded with the Final Project Rubric (below). ISE 510 Security Risk Analysis & Plan Security Breach Analysis and Recommendations Milestone 2: Test Plan <Last Name, First Name> Due <DATE> Submitted on <DATE> If late let me know why: ===================================== Delete these instructions in blue font before submission: Change file name to MS#2_LAST_FIRST A few comments up front: Assume you and your team are hired by Limetree as an IT Security consultant to analyze the breach, determine the vulnerabilities, and make recommendations for an extensive security program to include policies, controls, enforcement of controls, and continuous monitoring, all for the purpose of reducing information system risk to an acceptable level.
You will need to look up ONE of the Risk Methodologies listed in the Reference section. Some are easier than others! So look at a few and then decide which one you like. If you want to use another one, just let me know. If you have any questions, please let me know as soon as possible. Introduction a) Introduce your company (Limetree) and state its capabilities. It’s good business communication practice to double-check assumptions and verbal correspondence. I would copy the background section from final project scenario and make changes as needed. b) State your goal for the security breach analysis project. Whatever you write as the goal should be connected to the scope below. Remember, we are in a Risk Assessment and Planning class – so you should include how ‘risk’ fits into the goal(s). Scope a) Define the scope of the project. From a Project Management perspective, the scope is the boundary of the project and specifies what aspects will be included and which aspects are not included. From a cybersecurity perspective, we’re interested in IT systems, facilities, people, cybersecurity procedures and policies; threats and vulnerabilities as mentioned in the Surefire Game or THE BREACH supplemental document. Here are some ideas: Answer these questions in essay format: a) What is the primary reason Limetree is performing this activity?
b) What will the Security Breach Analysis and Recommendations report going to produce? (look back at goals) c) What were the major threats and vulnerabilities described in the Agent Surefire Game? d) What were the major threats and vulnerabilities described in THE BREACH supplemental document? e) Any limitations or constraints? f) How long will it take? (should be less than a month – you can answer this after you complete ‘Timeline and Benchmarks’ below) g) About how much will it cost? (you can answer this after you complete ‘Timeline and Benchmarks’ below) Remember that the title of the Final Project is "Security Breach Analysis and Recommendations" so, keep the discussion to that. Hardware and Software: a) Create a list of hardware and software present. Just list the hardware and software found throughout the Final Project Scenario and the Breach description. Resources: a) Determine resources required with brief explanation of why each is required (e.g., internet access, computers, additional personnel). These are the resources needed to complete the Security Breach Analysis and Recommendations Report (i.e. our Final Project). Here are the main three types of resources (you can add more if you want): List the Job titles of the team members and what skill-level – team members and their skills, certifications, and experience. How much does each member cost per hour. List the Hardware & Software – What special hardware or
software; any licenses or subscriptions required; like a penetration test suite. List the Special tools –forensic hard drive duplicators; wireless detection scanners etc. Hint: A team of 5 would be too large, and a team of 1 is too small. Timeline and Benchmarks: a) Discuss your timeline for the project (how long it will take and why). This can be a bulleted list of the major tasks to be completed (No more than 6 major tasks); under each bullet give a short description. You can list out the tasks and their description like a Project Manager would. Also, on each bullet, estimate the number of man-hours required to complete each major task. Example: 3 people working 5 days at 40 hours per week is 3 x 40 = 120 man-hours. EXAMPLE: 1. KICK-OFF Meeting. The kick-off meeting serves as an opportunity to discuss the organizational structure, introduction of the team to senior leaders and IT staff, reviews the facts of the breach, and defines the scope of the project. Approximately 3 team members, for 2 hours is 6 man-hours. b) Discuss what regulatory benchmark you will be using to make vulnerability determination. Here is an example of what this question is looking for: The regulatory benchmark that will be used in the vulnerability determination is the OCTAVE Allegro methodology (Caralli, Stevens, Young, & Wilson, 2007). The original OCTAVE methodology was developed by the Software Engineering Institute (SEI) at Carnegie Mellon University in 1999. Since
then several versions have been developed, and in June 2007, SEI introduced the OCTAVE Allegro methodology. Any of the risk methods listed in the References (at the end of this document) will be acceptable! Or, if you have a risk method you’d like to use, just let me know. Approach: a) State your approach Here is an example of what this question is looking for: The OCTAVE Allegro methodology uses an 8-step process for conducting a risk assessment. These are 1) establish risk measurement criteria; 2) Develop an Information Asset Profile; 3) Identify Information Asset Containers 4) Identify Areas of Concern; 5) Identify Threat Scenarios; 6) Identify Risks; 7) Analyze Risks; and 8) Select Mitigation Approach. OCTAVE Allegro methodology uses questionnaires, worksheets, checklists, and templates to guide the risk assessor through the 8-step process. b) Define how you will categorize your findings (Example: low, medium, high) Here is an example of what this question is looking for: The OCTAVE Allegro methodology uses three categories to evaluate the probability of a threat exploiting a vulnerability – High, Medium, and Low. The final risk score is determined by a relative risk score, which considers a qualitative risk probability (high, medium, low) combined with a prioritized impact level, taking into consideration the organizations’ criteria. References
Add your reference here Have at least 3 or more references. Delete those references that you did not use. Caralli, R. A., Stevens, J. F., Young, L. R., & Wilson, W. R. (2007). Introducing octave allegro: Improving the information security risk assessment process (No. CMU/SEI-2007-TR-012). Carnegie-Mellon Univ Pittsburgh Software Engineering Institute. Retrieved from http://www.dtic.mil/cgi- bin/GetTRDoc?Location=U2&doc=GetTRDoc.pdf&AD=ADA47 0450 CORAS, (2015). The CORAS Method. Retrieved from http://coras.sourceforge.net/ NIST SP 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach. Retrieved from http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37- rev1-final.pdf NIST SP 800-39 (2011). Managing Information Security Risk: Organization, Mission, and Information System View. Retrieved from http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublicatio n800-39.pdf Stoneburner, G., Goguen, A. Y., & Feringa, A. (2002). NIST SP 800-30: Risk management guide for information technology systems. Retrieved from http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
5

Recommended

The Breach at Limetree Updated November 18, 2017 Bac.docx
The Breach at Limetree Updated November 18, 2017 Bac.docxThe Breach at Limetree Updated November 18, 2017 Bac.docx
The Breach at Limetree Updated November 18, 2017 Bac.docxmehek4
 
ISE 510 Final Project Scenario Background Limetree In.docx
ISE 510 Final Project Scenario Background Limetree In.docxISE 510 Final Project Scenario Background Limetree In.docx
ISE 510 Final Project Scenario Background Limetree In.docxchristiandean12115
 
ISE 510 Final Project Scenario Background Limetree Inc. is a resea.docx
ISE 510 Final Project Scenario Background Limetree Inc. is a resea.docxISE 510 Final Project Scenario Background Limetree Inc. is a resea.docx
ISE 510 Final Project Scenario Background Limetree Inc. is a resea.docxchristiandean12115
 
Bulletproof IT Security
Bulletproof IT SecurityBulletproof IT Security
Bulletproof IT SecurityLondon School of Cyber Security
 
Cis 333 Education Redefined - snaptutorial.com
Cis 333 Education Redefined - snaptutorial.comCis 333 Education Redefined - snaptutorial.com
Cis 333 Education Redefined - snaptutorial.comDavisMurphyC75
 
Lesson2.9 o u2l6 who cares about encryption
Lesson2.9 o u2l6 who cares about encryptionLesson2.9 o u2l6 who cares about encryption
Lesson2.9 o u2l6 who cares about encryptionLexume1
 
The Cybersecurity Mess
The Cybersecurity MessThe Cybersecurity Mess
The Cybersecurity MessSimson Garfinkel
 
Axxera End Point Security Protection
Axxera End Point Security ProtectionAxxera End Point Security Protection
Axxera End Point Security ProtectionShawn Crimson
 

Recommended

The Breach at Limetree Updated November 18, 2017 Bac.docx
The Breach at Limetree Updated November 18, 2017 Bac.docxThe Breach at Limetree Updated November 18, 2017 Bac.docx
The Breach at Limetree Updated November 18, 2017 Bac.docxmehek4
 
ISE 510 Final Project Scenario Background Limetree In.docx
ISE 510 Final Project Scenario Background Limetree In.docxISE 510 Final Project Scenario Background Limetree In.docx
ISE 510 Final Project Scenario Background Limetree In.docxchristiandean12115
 
ISE 510 Final Project Scenario Background Limetree Inc. is a resea.docx
ISE 510 Final Project Scenario Background Limetree Inc. is a resea.docxISE 510 Final Project Scenario Background Limetree Inc. is a resea.docx
ISE 510 Final Project Scenario Background Limetree Inc. is a resea.docxchristiandean12115
 
Bulletproof IT Security
Bulletproof IT SecurityBulletproof IT Security
Bulletproof IT SecurityLondon School of Cyber Security
 
Cis 333 Education Redefined - snaptutorial.com
Cis 333 Education Redefined - snaptutorial.comCis 333 Education Redefined - snaptutorial.com
Cis 333 Education Redefined - snaptutorial.comDavisMurphyC75
 
Lesson2.9 o u2l6 who cares about encryption
Lesson2.9 o u2l6 who cares about encryptionLesson2.9 o u2l6 who cares about encryption
Lesson2.9 o u2l6 who cares about encryptionLexume1
 
The Cybersecurity Mess
The Cybersecurity MessThe Cybersecurity Mess
The Cybersecurity MessSimson Garfinkel
 
Axxera End Point Security Protection
Axxera End Point Security ProtectionAxxera End Point Security Protection
Axxera End Point Security ProtectionShawn Crimson
 
Assignment 2 LASA 2 Submissions AssignmentThis assignment .docx
Assignment 2 LASA 2 Submissions AssignmentThis assignment .docxAssignment 2 LASA 2 Submissions AssignmentThis assignment .docx
Assignment 2 LASA 2 Submissions AssignmentThis assignment .docxannrodgerson
 
CYBER SECURITY FOR LAW FIRMS
CYBER SECURITY FOR LAW FIRMSCYBER SECURITY FOR LAW FIRMS
CYBER SECURITY FOR LAW FIRMSScott Suhy
 
How to protect the cookies once someone gets into the cookie jar
How to protect the cookies once someone gets into the cookie jarHow to protect the cookies once someone gets into the cookie jar
How to protect the cookies once someone gets into the cookie jarJudgeEagle
 
Lesson2.9 o u2l6 who cares about encryption
Lesson2.9 o u2l6 who cares about encryptionLesson2.9 o u2l6 who cares about encryption
Lesson2.9 o u2l6 who cares about encryptionLexume1
 
VulnerabilityRewardsProgram
VulnerabilityRewardsProgramVulnerabilityRewardsProgram
VulnerabilityRewardsProgramTaha Kachwala
 
How We Did It: The Case of the Credit Card Breach
How We Did It: The Case of the Credit Card BreachHow We Did It: The Case of the Credit Card Breach
How We Did It: The Case of the Credit Card BreachTeradata
 
Ajs 524Believe Possibilities / snaptutorial.com
Ajs 524Believe Possibilities / snaptutorial.comAjs 524Believe Possibilities / snaptutorial.com
Ajs 524Believe Possibilities / snaptutorial.comStokesCope5
 
Ajs 524 Enhance teaching-snaptutorial.com
Ajs 524 Enhance teaching-snaptutorial.comAjs 524 Enhance teaching-snaptutorial.com
Ajs 524 Enhance teaching-snaptutorial.comrobertleew4
 
Working with law enforcement
Working with law enforcementWorking with law enforcement
Working with law enforcementMeg Weber
 
Cyber Security: User Access Pitfalls, A Case Study Approach
Cyber Security: User Access Pitfalls, A Case Study Approach Cyber Security: User Access Pitfalls, A Case Study Approach
Cyber Security: User Access Pitfalls, A Case Study Approach Aviva Spectrum™
 
MISO L007 managing system security
MISO L007 managing system securityMISO L007 managing system security
MISO L007 managing system securityJan Wong
 
The Immune System of Internet
The Immune System of InternetThe Immune System of Internet
The Immune System of InternetMohit Kanwar
 
Ajs 524 Effective Communication / snaptutorial.com
Ajs 524 Effective Communication / snaptutorial.comAjs 524 Effective Communication / snaptutorial.com
Ajs 524 Effective Communication / snaptutorial.comHarrisGeorg5
 
The Federal Information Security Management Act
The Federal Information Security Management ActThe Federal Information Security Management Act
The Federal Information Security Management ActMichelle Singh
 
Protecting Client Data 11.09.11
Protecting Client Data 11.09.11Protecting Client Data 11.09.11
Protecting Client Data 11.09.11pdewitte
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksOWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksAll Things Open
 
CISSPCertified Information SystemsSecurity ProfessionalCop.docx
CISSPCertified Information SystemsSecurity ProfessionalCop.docxCISSPCertified Information SystemsSecurity ProfessionalCop.docx
CISSPCertified Information SystemsSecurity ProfessionalCop.docxmccormicknadine86
 
CISSPCertified Information SystemsSecurity ProfessionalCop.docx
CISSPCertified Information SystemsSecurity ProfessionalCop.docxCISSPCertified Information SystemsSecurity ProfessionalCop.docx
CISSPCertified Information SystemsSecurity ProfessionalCop.docxsleeperharwell
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security BasicsMohan Jadhav
 
Community IT Webinar - IT Security for Nonprofits
Community IT Webinar - IT Security for NonprofitsCommunity IT Webinar - IT Security for Nonprofits
Community IT Webinar - IT Security for NonprofitsCommunity IT Innovators
 
Hw059f6dbf-250a-4d74-8f5e-f28f14227edc.jpg__MACOSXHw._059.docx
Hw059f6dbf-250a-4d74-8f5e-f28f14227edc.jpg__MACOSXHw._059.docxHw059f6dbf-250a-4d74-8f5e-f28f14227edc.jpg__MACOSXHw._059.docx
Hw059f6dbf-250a-4d74-8f5e-f28f14227edc.jpg__MACOSXHw._059.docxwellesleyterresa
 
HW in teams of 3 studentsAn oil remanufacturing company uses c.docx
HW in teams of 3 studentsAn oil remanufacturing company uses c.docxHW in teams of 3 studentsAn oil remanufacturing company uses c.docx
HW in teams of 3 studentsAn oil remanufacturing company uses c.docxwellesleyterresa
 

More Related Content

Similar to How the US Military does Risk Management is a little different wha.docx

Assignment 2 LASA 2 Submissions AssignmentThis assignment .docx
Assignment 2 LASA 2 Submissions AssignmentThis assignment .docxAssignment 2 LASA 2 Submissions AssignmentThis assignment .docx
Assignment 2 LASA 2 Submissions AssignmentThis assignment .docxannrodgerson
 
CYBER SECURITY FOR LAW FIRMS
CYBER SECURITY FOR LAW FIRMSCYBER SECURITY FOR LAW FIRMS
CYBER SECURITY FOR LAW FIRMSScott Suhy
 
How to protect the cookies once someone gets into the cookie jar
How to protect the cookies once someone gets into the cookie jarHow to protect the cookies once someone gets into the cookie jar
How to protect the cookies once someone gets into the cookie jarJudgeEagle
 
Lesson2.9 o u2l6 who cares about encryption
Lesson2.9 o u2l6 who cares about encryptionLesson2.9 o u2l6 who cares about encryption
Lesson2.9 o u2l6 who cares about encryptionLexume1
 
VulnerabilityRewardsProgram
VulnerabilityRewardsProgramVulnerabilityRewardsProgram
VulnerabilityRewardsProgramTaha Kachwala
 
How We Did It: The Case of the Credit Card Breach
How We Did It: The Case of the Credit Card BreachHow We Did It: The Case of the Credit Card Breach
How We Did It: The Case of the Credit Card BreachTeradata
 
Ajs 524Believe Possibilities / snaptutorial.com
Ajs 524Believe Possibilities / snaptutorial.comAjs 524Believe Possibilities / snaptutorial.com
Ajs 524Believe Possibilities / snaptutorial.comStokesCope5
 
Ajs 524 Enhance teaching-snaptutorial.com
Ajs 524 Enhance teaching-snaptutorial.comAjs 524 Enhance teaching-snaptutorial.com
Ajs 524 Enhance teaching-snaptutorial.comrobertleew4
 
Working with law enforcement
Working with law enforcementWorking with law enforcement
Working with law enforcementMeg Weber
 
Cyber Security: User Access Pitfalls, A Case Study Approach
Cyber Security: User Access Pitfalls, A Case Study Approach Cyber Security: User Access Pitfalls, A Case Study Approach
Cyber Security: User Access Pitfalls, A Case Study Approach Aviva Spectrum™
 
MISO L007 managing system security
MISO L007 managing system securityMISO L007 managing system security
MISO L007 managing system securityJan Wong
 
The Immune System of Internet
The Immune System of InternetThe Immune System of Internet
The Immune System of InternetMohit Kanwar
 
Ajs 524 Effective Communication / snaptutorial.com
Ajs 524 Effective Communication / snaptutorial.comAjs 524 Effective Communication / snaptutorial.com
Ajs 524 Effective Communication / snaptutorial.comHarrisGeorg5
 
The Federal Information Security Management Act
The Federal Information Security Management ActThe Federal Information Security Management Act
The Federal Information Security Management ActMichelle Singh
 
Protecting Client Data 11.09.11
Protecting Client Data 11.09.11Protecting Client Data 11.09.11
Protecting Client Data 11.09.11pdewitte
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksOWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksAll Things Open
 
CISSPCertified Information SystemsSecurity ProfessionalCop.docx
CISSPCertified Information SystemsSecurity ProfessionalCop.docxCISSPCertified Information SystemsSecurity ProfessionalCop.docx
CISSPCertified Information SystemsSecurity ProfessionalCop.docxmccormicknadine86
 
CISSPCertified Information SystemsSecurity ProfessionalCop.docx
CISSPCertified Information SystemsSecurity ProfessionalCop.docxCISSPCertified Information SystemsSecurity ProfessionalCop.docx
CISSPCertified Information SystemsSecurity ProfessionalCop.docxsleeperharwell
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security BasicsMohan Jadhav
 
Community IT Webinar - IT Security for Nonprofits
Community IT Webinar - IT Security for NonprofitsCommunity IT Webinar - IT Security for Nonprofits
Community IT Webinar - IT Security for NonprofitsCommunity IT Innovators
 

Similar to How the US Military does Risk Management is a little different wha.docx (20)

Assignment 2 LASA 2 Submissions AssignmentThis assignment .docx
Assignment 2 LASA 2 Submissions AssignmentThis assignment .docxAssignment 2 LASA 2 Submissions AssignmentThis assignment .docx
Assignment 2 LASA 2 Submissions AssignmentThis assignment .docx
 
CYBER SECURITY FOR LAW FIRMS
CYBER SECURITY FOR LAW FIRMSCYBER SECURITY FOR LAW FIRMS
CYBER SECURITY FOR LAW FIRMS
 
How to protect the cookies once someone gets into the cookie jar
How to protect the cookies once someone gets into the cookie jarHow to protect the cookies once someone gets into the cookie jar
How to protect the cookies once someone gets into the cookie jar
 
Lesson2.9 o u2l6 who cares about encryption
Lesson2.9 o u2l6 who cares about encryptionLesson2.9 o u2l6 who cares about encryption
Lesson2.9 o u2l6 who cares about encryption
 
VulnerabilityRewardsProgram
VulnerabilityRewardsProgramVulnerabilityRewardsProgram
VulnerabilityRewardsProgram
 
How We Did It: The Case of the Credit Card Breach
How We Did It: The Case of the Credit Card BreachHow We Did It: The Case of the Credit Card Breach
How We Did It: The Case of the Credit Card Breach
 
Ajs 524Believe Possibilities / snaptutorial.com
Ajs 524Believe Possibilities / snaptutorial.comAjs 524Believe Possibilities / snaptutorial.com
Ajs 524Believe Possibilities / snaptutorial.com
 
Ajs 524 Enhance teaching-snaptutorial.com
Ajs 524 Enhance teaching-snaptutorial.comAjs 524 Enhance teaching-snaptutorial.com
Ajs 524 Enhance teaching-snaptutorial.com
 
Working with law enforcement
Working with law enforcementWorking with law enforcement
Working with law enforcement
 
Cyber Security: User Access Pitfalls, A Case Study Approach
Cyber Security: User Access Pitfalls, A Case Study Approach Cyber Security: User Access Pitfalls, A Case Study Approach
Cyber Security: User Access Pitfalls, A Case Study Approach
 
MISO L007 managing system security
MISO L007 managing system securityMISO L007 managing system security
MISO L007 managing system security
 
The Immune System of Internet
The Immune System of InternetThe Immune System of Internet
The Immune System of Internet
 
Ajs 524 Effective Communication / snaptutorial.com
Ajs 524 Effective Communication / snaptutorial.comAjs 524 Effective Communication / snaptutorial.com
Ajs 524 Effective Communication / snaptutorial.com
 
The Federal Information Security Management Act
The Federal Information Security Management ActThe Federal Information Security Management Act
The Federal Information Security Management Act
 
Protecting Client Data 11.09.11
Protecting Client Data 11.09.11Protecting Client Data 11.09.11
Protecting Client Data 11.09.11
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksOWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
 
CISSPCertified Information SystemsSecurity ProfessionalCop.docx
CISSPCertified Information SystemsSecurity ProfessionalCop.docxCISSPCertified Information SystemsSecurity ProfessionalCop.docx
CISSPCertified Information SystemsSecurity ProfessionalCop.docx
 
CISSPCertified Information SystemsSecurity ProfessionalCop.docx
CISSPCertified Information SystemsSecurity ProfessionalCop.docxCISSPCertified Information SystemsSecurity ProfessionalCop.docx
CISSPCertified Information SystemsSecurity ProfessionalCop.docx
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security Basics
 
Community IT Webinar - IT Security for Nonprofits
Community IT Webinar - IT Security for NonprofitsCommunity IT Webinar - IT Security for Nonprofits
Community IT Webinar - IT Security for Nonprofits
 

More from wellesleyterresa

Hw059f6dbf-250a-4d74-8f5e-f28f14227edc.jpg__MACOSXHw._059.docx
Hw059f6dbf-250a-4d74-8f5e-f28f14227edc.jpg__MACOSXHw._059.docxHw059f6dbf-250a-4d74-8f5e-f28f14227edc.jpg__MACOSXHw._059.docx
Hw059f6dbf-250a-4d74-8f5e-f28f14227edc.jpg__MACOSXHw._059.docxwellesleyterresa
 
HW in teams of 3 studentsAn oil remanufacturing company uses c.docx
HW in teams of 3 studentsAn oil remanufacturing company uses c.docxHW in teams of 3 studentsAn oil remanufacturing company uses c.docx
HW in teams of 3 studentsAn oil remanufacturing company uses c.docxwellesleyterresa
 
HW 5.docxAssignment 5 – Currency riskYou may do this assig.docx
HW 5.docxAssignment 5 – Currency riskYou may do this assig.docxHW 5.docxAssignment 5 – Currency riskYou may do this assig.docx
HW 5.docxAssignment 5 – Currency riskYou may do this assig.docxwellesleyterresa
 
HW#3 – Spring 20181. Giulia is traveling from Italy to China. .docx
HW#3 – Spring 20181. Giulia is traveling from Italy to China. .docxHW#3 – Spring 20181. Giulia is traveling from Italy to China. .docx
HW#3 – Spring 20181. Giulia is traveling from Italy to China. .docxwellesleyterresa
 
HW 2Due July 1 by 500 PM.docx
HW 2Due July 1 by 500 PM.docxHW 2Due July 1 by 500 PM.docx
HW 2Due July 1 by 500 PM.docxwellesleyterresa
 
HW 4 Gung Ho Commentary DUE Thursday, April 20 at 505 PM on.docx
HW 4 Gung Ho Commentary DUE Thursday, April 20 at 505 PM on.docxHW 4 Gung Ho Commentary DUE Thursday, April 20 at 505 PM on.docx
HW 4 Gung Ho Commentary DUE Thursday, April 20 at 505 PM on.docxwellesleyterresa
 
HW 5 Math 405. Due beginning of class – Monday, 10 Oct 2016.docx
HW 5 Math 405. Due beginning of class – Monday, 10 Oct 2016.docxHW 5 Math 405. Due beginning of class – Monday, 10 Oct 2016.docx
HW 5 Math 405. Due beginning of class – Monday, 10 Oct 2016.docxwellesleyterresa
 
HW 5-RSAascii2str.mfunction str = ascii2str(ascii) .docx
HW 5-RSAascii2str.mfunction str = ascii2str(ascii) .docxHW 5-RSAascii2str.mfunction str = ascii2str(ascii) .docx
HW 5-RSAascii2str.mfunction str = ascii2str(ascii) .docxwellesleyterresa
 
HW 3 Project Control• Status meeting agenda – shows time, date .docx
HW 3 Project Control• Status meeting agenda – shows time, date .docxHW 3 Project Control• Status meeting agenda – shows time, date .docx
HW 3 Project Control• Status meeting agenda – shows time, date .docxwellesleyterresa
 
HW 1January 19 2017Due back Jan 26, in class.1. (T.docx
HW 1January 19 2017Due back Jan 26, in class.1. (T.docxHW 1January 19 2017Due back Jan 26, in class.1. (T.docx
HW 1January 19 2017Due back Jan 26, in class.1. (T.docxwellesleyterresa
 
Hussam Malibari Heckman MAT 242 Spring 2017Assignment Chapte.docx
Hussam Malibari Heckman MAT 242 Spring 2017Assignment Chapte.docxHussam Malibari Heckman MAT 242 Spring 2017Assignment Chapte.docx
Hussam Malibari Heckman MAT 242 Spring 2017Assignment Chapte.docxwellesleyterresa
 
hw1.docxCS 211 Homework #1Please complete the homework problem.docx
hw1.docxCS 211 Homework #1Please complete the homework problem.docxhw1.docxCS 211 Homework #1Please complete the homework problem.docx
hw1.docxCS 211 Homework #1Please complete the homework problem.docxwellesleyterresa
 
HUS 335 Interpersonal Helping SkillsCase Assessment FormatT.docx
HUS 335 Interpersonal Helping SkillsCase Assessment FormatT.docxHUS 335 Interpersonal Helping SkillsCase Assessment FormatT.docx
HUS 335 Interpersonal Helping SkillsCase Assessment FormatT.docxwellesleyterresa
 
HW #1Tech Alert on IT & Strategy (Ch 3-5Ch 3 -5 IT Strategy opt.docx
HW #1Tech Alert on IT & Strategy (Ch 3-5Ch 3 -5 IT Strategy opt.docxHW #1Tech Alert on IT & Strategy (Ch 3-5Ch 3 -5 IT Strategy opt.docx
HW #1Tech Alert on IT & Strategy (Ch 3-5Ch 3 -5 IT Strategy opt.docxwellesleyterresa
 
HW 2 (1) Visit Monsanto (httpwww.monsanto.com) again and Goog.docx
HW 2 (1) Visit Monsanto (httpwww.monsanto.com) again and Goog.docxHW 2 (1) Visit Monsanto (httpwww.monsanto.com) again and Goog.docx
HW 2 (1) Visit Monsanto (httpwww.monsanto.com) again and Goog.docxwellesleyterresa
 
Hunters Son Dialogue Activity1. Please write 1-2 sentences for e.docx
Hunters Son Dialogue Activity1. Please write 1-2 sentences for e.docxHunters Son Dialogue Activity1. Please write 1-2 sentences for e.docx
Hunters Son Dialogue Activity1. Please write 1-2 sentences for e.docxwellesleyterresa
 
HW 2 - SQL The database you will use for this assignme.docx
HW 2 - SQL The database you will use for this assignme.docxHW 2 - SQL The database you will use for this assignme.docx
HW 2 - SQL The database you will use for this assignme.docxwellesleyterresa
 
Humanities Commons Learning Goals1. Write about primary and seco.docx
Humanities Commons Learning Goals1. Write about primary and seco.docxHumanities Commons Learning Goals1. Write about primary and seco.docx
Humanities Commons Learning Goals1. Write about primary and seco.docxwellesleyterresa
 
HURRICANE KATRINA A NATION STILL UNPREPARED .docx
HURRICANE KATRINA A NATION STILL UNPREPARED .docxHURRICANE KATRINA A NATION STILL UNPREPARED .docx
HURRICANE KATRINA A NATION STILL UNPREPARED .docxwellesleyterresa
 
Humanities 115Short Essay Grading CriteriaExcellentPassing.docx
Humanities 115Short Essay Grading CriteriaExcellentPassing.docxHumanities 115Short Essay Grading CriteriaExcellentPassing.docx
Humanities 115Short Essay Grading CriteriaExcellentPassing.docxwellesleyterresa
 

More from wellesleyterresa (20)

Hw059f6dbf-250a-4d74-8f5e-f28f14227edc.jpg__MACOSXHw._059.docx
Hw059f6dbf-250a-4d74-8f5e-f28f14227edc.jpg__MACOSXHw._059.docxHw059f6dbf-250a-4d74-8f5e-f28f14227edc.jpg__MACOSXHw._059.docx
Hw059f6dbf-250a-4d74-8f5e-f28f14227edc.jpg__MACOSXHw._059.docx
 
HW in teams of 3 studentsAn oil remanufacturing company uses c.docx
HW in teams of 3 studentsAn oil remanufacturing company uses c.docxHW in teams of 3 studentsAn oil remanufacturing company uses c.docx
HW in teams of 3 studentsAn oil remanufacturing company uses c.docx
 
HW 5.docxAssignment 5 – Currency riskYou may do this assig.docx
HW 5.docxAssignment 5 – Currency riskYou may do this assig.docxHW 5.docxAssignment 5 – Currency riskYou may do this assig.docx
HW 5.docxAssignment 5 – Currency riskYou may do this assig.docx
 
HW#3 – Spring 20181. Giulia is traveling from Italy to China. .docx
HW#3 – Spring 20181. Giulia is traveling from Italy to China. .docxHW#3 – Spring 20181. Giulia is traveling from Italy to China. .docx
HW#3 – Spring 20181. Giulia is traveling from Italy to China. .docx
 
HW 2Due July 1 by 500 PM.docx
HW 2Due July 1 by 500 PM.docxHW 2Due July 1 by 500 PM.docx
HW 2Due July 1 by 500 PM.docx
 
HW 4 Gung Ho Commentary DUE Thursday, April 20 at 505 PM on.docx
HW 4 Gung Ho Commentary DUE Thursday, April 20 at 505 PM on.docxHW 4 Gung Ho Commentary DUE Thursday, April 20 at 505 PM on.docx
HW 4 Gung Ho Commentary DUE Thursday, April 20 at 505 PM on.docx
 
HW 5 Math 405. Due beginning of class – Monday, 10 Oct 2016.docx
HW 5 Math 405. Due beginning of class – Monday, 10 Oct 2016.docxHW 5 Math 405. Due beginning of class – Monday, 10 Oct 2016.docx
HW 5 Math 405. Due beginning of class – Monday, 10 Oct 2016.docx
 
HW 5-RSAascii2str.mfunction str = ascii2str(ascii) .docx
HW 5-RSAascii2str.mfunction str = ascii2str(ascii) .docxHW 5-RSAascii2str.mfunction str = ascii2str(ascii) .docx
HW 5-RSAascii2str.mfunction str = ascii2str(ascii) .docx
 
HW 3 Project Control• Status meeting agenda – shows time, date .docx
HW 3 Project Control• Status meeting agenda – shows time, date .docxHW 3 Project Control• Status meeting agenda – shows time, date .docx
HW 3 Project Control• Status meeting agenda – shows time, date .docx
 
HW 1January 19 2017Due back Jan 26, in class.1. (T.docx
HW 1January 19 2017Due back Jan 26, in class.1. (T.docxHW 1January 19 2017Due back Jan 26, in class.1. (T.docx
HW 1January 19 2017Due back Jan 26, in class.1. (T.docx
 
Hussam Malibari Heckman MAT 242 Spring 2017Assignment Chapte.docx
Hussam Malibari Heckman MAT 242 Spring 2017Assignment Chapte.docxHussam Malibari Heckman MAT 242 Spring 2017Assignment Chapte.docx
Hussam Malibari Heckman MAT 242 Spring 2017Assignment Chapte.docx
 
hw1.docxCS 211 Homework #1Please complete the homework problem.docx
hw1.docxCS 211 Homework #1Please complete the homework problem.docxhw1.docxCS 211 Homework #1Please complete the homework problem.docx
hw1.docxCS 211 Homework #1Please complete the homework problem.docx
 
HUS 335 Interpersonal Helping SkillsCase Assessment FormatT.docx
HUS 335 Interpersonal Helping SkillsCase Assessment FormatT.docxHUS 335 Interpersonal Helping SkillsCase Assessment FormatT.docx
HUS 335 Interpersonal Helping SkillsCase Assessment FormatT.docx
 
HW #1Tech Alert on IT & Strategy (Ch 3-5Ch 3 -5 IT Strategy opt.docx
HW #1Tech Alert on IT & Strategy (Ch 3-5Ch 3 -5 IT Strategy opt.docxHW #1Tech Alert on IT & Strategy (Ch 3-5Ch 3 -5 IT Strategy opt.docx
HW #1Tech Alert on IT & Strategy (Ch 3-5Ch 3 -5 IT Strategy opt.docx
 
HW 2 (1) Visit Monsanto (httpwww.monsanto.com) again and Goog.docx
HW 2 (1) Visit Monsanto (httpwww.monsanto.com) again and Goog.docxHW 2 (1) Visit Monsanto (httpwww.monsanto.com) again and Goog.docx
HW 2 (1) Visit Monsanto (httpwww.monsanto.com) again and Goog.docx
 
Hunters Son Dialogue Activity1. Please write 1-2 sentences for e.docx
Hunters Son Dialogue Activity1. Please write 1-2 sentences for e.docxHunters Son Dialogue Activity1. Please write 1-2 sentences for e.docx
Hunters Son Dialogue Activity1. Please write 1-2 sentences for e.docx
 
HW 2 - SQL The database you will use for this assignme.docx
HW 2 - SQL The database you will use for this assignme.docxHW 2 - SQL The database you will use for this assignme.docx
HW 2 - SQL The database you will use for this assignme.docx
 
Humanities Commons Learning Goals1. Write about primary and seco.docx
Humanities Commons Learning Goals1. Write about primary and seco.docxHumanities Commons Learning Goals1. Write about primary and seco.docx
Humanities Commons Learning Goals1. Write about primary and seco.docx
 
HURRICANE KATRINA A NATION STILL UNPREPARED .docx
HURRICANE KATRINA A NATION STILL UNPREPARED .docxHURRICANE KATRINA A NATION STILL UNPREPARED .docx
HURRICANE KATRINA A NATION STILL UNPREPARED .docx
 
Humanities 115Short Essay Grading CriteriaExcellentPassing.docx
Humanities 115Short Essay Grading CriteriaExcellentPassing.docxHumanities 115Short Essay Grading CriteriaExcellentPassing.docx
Humanities 115Short Essay Grading CriteriaExcellentPassing.docx
 

Recently uploaded

INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxHumphrey A Beña
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)lakshayb543
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Mark Reed
 
Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Celine George
 
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfInclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfTechSoup
 
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfAMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfphamnguyenenglishnb
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxAnupkumar Sharma
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Celine George
 
4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptxmary850239
 
Grade 9 Q4-MELC1-Active and Passive Voice.pptx
Grade 9 Q4-MELC1-Active and Passive Voice.pptxGrade 9 Q4-MELC1-Active and Passive Voice.pptx
Grade 9 Q4-MELC1-Active and Passive Voice.pptxChelloAnnAsuncion2
 
ENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomnelietumpap1
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parentsnavabharathschool99
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Jisc
 
ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4MiaBumagat1
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPCeline George
 
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYKayeClaireEstoconing
 

Recently uploaded (20)

INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)
 
Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17
 
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfInclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
 
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfAMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17
 
4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx
 
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptxFINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
 
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
 
Grade 9 Q4-MELC1-Active and Passive Voice.pptx
Grade 9 Q4-MELC1-Active and Passive Voice.pptxGrade 9 Q4-MELC1-Active and Passive Voice.pptx
Grade 9 Q4-MELC1-Active and Passive Voice.pptx
 
ENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choom
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parents
 
OS-operating systems- ch04 (Threads) ...
OS-operating systems- ch04 (Threads) ...OS-operating systems- ch04 (Threads) ...
OS-operating systems- ch04 (Threads) ...
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...
 
ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4
 
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERP
 
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
 

How the US Military does Risk Management is a little different wha.docx

  • 1. How the US Military does Risk Management is a little different what we have seen thus far. The notable difference is the selection of the controls. The process we have seen usually begins by identifying the threats and vulnerabilities to which specific controls are selected. The US Military, on the other hand, first defines the system category based on the impact of confidentiality, integrity, and availability (STEP 1 in figure). From there, it MUST use the controls needed to meet the system category! (STEP 2 in figure). This removes the arguments over what controls should or should not be implemented. As an example, I had a Public-Facing website with low confidentiality, integrity, and availability requirements and we had to implement 107 controls. This approach is clever in that I don’t need to estimate probabilities or likelihood of threats/vulnerabilities – I just include the proper suite of controls. (In fact, there are 3 sets of possibilities in each group: 3x confidentiality, 3x integrity, and 3x availability equals 27 possible outcomes – and each outcome had a particular set of controls; but the idea is the same). Week 2: Your initial post should be at least 250 words. PICK Fannie Mae: discuss with the class how your choice impacts real estate finance. Pay particular attention to their underwriting standards, underwriting tools, and overall organization. +++++++++++++++++++++++++++++++++++++++++++++++ Week 3: Your initial post should be at least 250 words. What do we mean by a "mortgage program"?
  • 2. PICK: Variable interest rate loans and discuss with the class how your choice differs from traditional 30 year loans. Be sure to explain the rationale behind the difference, and explain the pros and cons of Variable interest rate loans ++++++++++++++++++++++++++++++++++++++++++++ Week 3: Your initial post should be at least 250 words Review these questions and determine what the historic relationship between interest rates and home ownership was, and what it appears to be in the current housing slump. What happens to an individual's capacity to borrow as mortgage interest rates fluctuate? How did extremely low interest rates in 2004 and 2005, then rapidly rising rates in 2006 impact home sales? (Hint: Try to find some data on the web that correlates unit home sales with interest rates). What happens to home prices as interest rates fluctuate? Have home prices recovered since rates have fallen since then to record lows in late 2010 and beyond? What happens to DOM (Days on the Market) - or how long it takes to sell the average home - as rates go up and down? The Breach at Limetree Updated November 18, 2017 Background: Limetree Inc. is a research and development firm that engages in multiple research projects with the federal government and private
  • 3. corporations in the areas of healthcare, biotechnology, and other cutting-edge industries Limetree recently lost a DOD contract worth millions of dollars, because another competitor claimed to have “superior chemical process that brought about the desired results in half the time, with over seventy-five percent more yield than conventional technologies.” This contract loss troubled Limetree Inc. management because Limetree has been working on that exact same technology for years and they suspect that it’s no mere coincidence that a competitor has claimed their proprietary process for their own. The management then asked Jack Sterling, Limetree’s security manager, to investigate if there were any IT related security problems that could shed some light on the possibility of an insider threat. Jack performed an unannounced sweep of the office area and found serious problems. There were poor security practices with every workstation, such as unauthorized external hard- drives & USBs, passwords under mouse pads, unlocked displays, unauthorized software, obvious phone PINs, wireless passwords on bulletin boards, and improper destruction of sensitive documents. Jacks’ investigation lead him to three suspects: Jamie Kim at workstation #14 because her external hard-drive had the same proprietary processes files as was leaked to the competitor; Duncan Harris at workstation #11 because he had a USB with deleted files that also had the
  • 4. proprietary processes leaked; Steve Kim at workstation #4 because he had passwords and usernames of Jamie Kim on a partially shredded paper in the trash. No other employees had any file or potential access to the files that contained the proprietary processes. Jack also conducted a review of the access logs on the server to rule out any unwarranted wireless access from in or outside the facility. There were several unauthorized users using the wireless resource, but no access to the servers. Logs on the servers themselves revealed unauthorized directory traversals and DNS poisoning but these attacks were not in the narrow timeframe that the insider sold the proprietary process. Jack then navigated to the folder that the proprietary process was kept and observed there was no encryption; nor was it isolated on the network. Jack looked up the default password for the CISCO switch and sure enough, it had not been changed on the routers and switches. Jack also ran a root-kit detector and although it didn’t find one, it did show that a backdoor had been planted in the distant past but wasn’t active now. After finding the backdoor, Jack then examined the public-facing webpage and noticed that many of the input fields did not do any data integrity checks. Since that is a poor security practice, he made a mental note to consider common security misconfigurations when he had free time.
  • 5. Jack went to the telecommunications closet and discovered that the door was unlocked and the AC was broken; it was critically hot in the small room. He also noticed that someone opened a ceiling panel (probably to allow fresh air into the closet). But now Jack wondered if there should be a false ceiling in sensitive area? He made another mental note to go through all the physical security concerns when he had time. Jack went to the main lobby and checked the sign-in visitor sheet. Clearly, the company wasn’t following procedures as there were only a few people that signed in per day, when he knew it should be over 10 people a day. He did notice one thing, and that was the only employee, of the three suspected, Steve Kim was visited by a “Jason Byway” several times. Jack ran simple background checks using social media (Facebook, LinkedIn, & Google) on all ninety-five people entering the facility during the time the leak occurred and only “Jason Byway” was a fake name. Jack decided to run credit report on all three suspects. The scores were: Jamie Kim 650; Duncan Harris 670; Steve Kim 540. Jack confiscated all three employees’ workstations and did a preliminary investigation of the hard drives. Of all the suspected employee’s only Steve Kim had deleted files with the personal health information (PHI) used in a research study. Thus, Jack concluded that Steve Kim stole the information from another employee (Jamie Kim) and was the insider that sold company secrets, probably to get out of financial trouble.
  • 6. ISE 510 Final Project Scenario Background Limetree Inc. is a research and development firm that engages in multiple research projects with the federal government and private corporations in the areas of healthcare, biotechnology, and other cutting-edge industries. It has been experiencing major growth in recent years, but there is also a concern that information security lapses are becoming rampant as the company grows. Limetree Inc. is working to establish a strong reputation in the industry, and it views a robust information security program as part of the means to achieving its goal. The company looks to monitor and remain compliant to any regulation impacting its operations. Limetree Inc. recently experienced a security breach; it believes confidential company data has been stolen, including personal health information (PHI) used in a research study. Limetree Inc. believes the breach may have occurred because of some security vulnerabilities within its system and processes. Limetree Inc.’s virtual environment is presented in the Agent Surefire: InfoSec educational video game. The rest of the environment is presented via an interview with the security manager, Jack Sterling. Highlight of Interview with Jack Sterling Interview with Jack Sterling revealed the following about Limetree Inc.’s system and processes: Hardware/Software: Desktop Apps: Internet Explorer, Firefox, Google Chrome, MS Office, Adobe Flash, Adobe Acrobat Applications/Databases: Browser – Browser in use is Internet Explorer and browser security setting was set to low. Browsers allow remote installation of applets, and there is no standard browser for the environment.
  • 7. Virus Software – MacAfee is deployed locally on each user's machine and users are mandated to update their virus policy every month. SQL Database – Ordinary users can escalate privilege via SQL Agent. Disk space for SQL database log is small and is overwritten with new information when it is full. Limetree Inc. is not using any encryption for sensitive data at rest within the SQL server environment. Network: The network comprises the following: three web/applications servers, three email servers, five file and printer servers, two proxy servers, seven remotely manageable Cisco switches, 250 desktops, three firewall devices, one gateway (router) device to the internet, and three wireless access points. Configuration Highlights: Wireless – Wireless network is available with clearly advertised SSID, and it is part of the local area network (LAN). There is no segmentation or authentication between the wireless and wired LAN. Visitors are provided access code to the wireless network at the front desk to use the internet while they wait to be attended to. Managed switches – There is no logging of network activities on any of the switches. Web server – Public-facing web server is part of the LAN. This is where internet users get needed information on the company. The web servers are running the following services in addition: File & Print Services, Telnet, IIS. Firewalls – Firewall configuration is very secure, and the logs are reviewed when there is suspicion of a security event. The following files types are allowed for inbound connection: EXE, DOC, XML, VBS. In addition, Telnet and FTP are allowed for inbound connection. Passwords – Users determine the length of the password and complexity, but it is mandatory to change password once a year. Network configuration changes are determined by the IT manager and users are notified immediately once the changes
  • 8. are implemented. Documentation: I. There is no documented security policy, or computer use policy. II. II. There is no documented process for changes to the system. III. III. There is no contingency plan. System Backup: I. Backup is conducted daily by the network administrator, and tapes are kept safely in the computer room. Personnel/Physical Security: I. While users are not trained on security awareness, emails go out every month from the system administrator warning users of emerging threat. II. II. Visitors sign in at the front desk before they are allowed to walk in to see employees at their respective offices. III. III. Remote employees connect via virtual private network. Their laptops are configured exactly as the desktops in the office with unencrypted hard drives. IV. IV. Often users are allowed to bring in their own laptops, connect to corporate system, and complete their tasks, especially if they are having issues with laptops provided by the company. Incident Response: At Limetree Inc., systems administrators are notified of computer incidents, and the administrators escalate to the IT manager, who reports incidents to the security manager if they are deemed relevant. Currently there is no official documented process of reporting incidents. There is also no previous documented history of incidents, even though Limetree Inc. has experienced quite a few. Corrective measures are taken immediately after an incident, though none of the measures was ever documented. ISE 510 Final Project Guidelines and Rubric
  • 9. Overview The final project for this course is the creation of a security breach analysis and recommendations. The relevance of risk assessment cannot be overemphasized as organizations establish or reaffirm their security posture, especially in the wake of overwhelming computer security breaches at many organizations in the United States and around the world, including government agencies. Organizations seek to understand their compliance status for current regulations as well as their vulnerability in order to adopt a proper approach to manage risks. It is equally important to conduct a risk assessment after a system breach has occurred to better understand the threats and the vulnerabilities exploited. For your final project, you will analyze an information security breach that has already occurred. This will place you in the role of a risk assessment expert, coming in to determine how the breach occurred and develop strategies to mitigate against the breach reoccurring. Risk assessment experts can fill the positions of penetration testers, information security auditors, and independent verification and validation analysts, for example. Such roles will continue to gain relevance as organizations and governments continue to move sensitive financial information, personal health information (PHI), and personally identifiable information (PII) across publicly accessible networks and storage devices. For the final project for this course, you will analyze an information security breach provided in the Final Project Scenario document and the educational video game (Agent Surefire: InfoSec) you will play in Module Three. In your analysis, you will discuss how the breach occurred, the incident response processes that were initiated, the impact of the breach, and applicable regulations to the organization. Then, you will develop a security test plan for the breached system and create security controls to ensure that the breach will not reoccur.
  • 10. The project is divided into three milestones, which will be submitted at various points throughout the course to scaffold learning and ensure quality final submissions. These milestones will be submitted in Modules Three, Five, and Seven. The final product will be submitted in Module Nine. This assessment addresses the following course outcomes: through analysis of security breaches uate incident response processes for their effectiveness in ensuring business continuity in support of organizational goals information security of organizations works, applications, or physical security assessment projects based on established cybersecurity standards website, and network vulnerabilities rganizational culture and communication challenges that could affect cybersecurity risk assessment in a diversified world Prompt Your security breach analysis and recommendations should answer the following prompt: Using your Final Project Scenario and gameplay from the educational video game Agent Surefire: InfoSec that you will complete in Module Three, analyze the information security breach to determine how the breach occurred, evaluate the incident response processes, and assess the impact of the breach and applicable regulations on the business or organization. Then use your analysis to develop a security test plan, security controls to mitigate risk, and recommendations that reduce the impact of organizational culture and communication challenges.
  • 11. Specifically, the following critical elements must be addressed: I. Introduction: Provide a brief profile of the business or organization that has been attacked, including its organizational goals. In your profile, you could consider the industry in which the business or organization operates and the product or service that is the focus, for example. II. II. Security Breach: In this section, you will analyze one current information security breach, describing the business or organization that has been affected by this breach and explaining how the breach occurred. Specifically, you should: A. Attack Location: Determine what part of the business or organization was attacked by analyzing the security breach that occurred. For example, was the network attacked? Or was the company website hacked? B. Attack Method and Tools: Analyze the security breach to determine the method and tools that were used to effect the attack. In other words, how did the attack occur? C. Vulnerabilities: Based on your analysis, what vulnerabilities of the business or organization were exploited? How were the vulnerabilities discovered? For example, were the vulnerabilities discovered by an employee, a third party, or a customer? III. Incident Response: In this section, you will evaluate the incident response processes that were initiated in response to the breach. Specifically, you should: A. Actions: What incident response actions were initiated to minimize the impact of the breach? In other words, what did the business or organization do to address the vulnerabilities and resume normal system operations after the breach? B. Business Continuity: Evaluate these incident response actions for their effectiveness in allowing the business to resume normal system operations after the breach. In other words, how effective were these incident response actions in ensuring business continuity and supporting the organization’s
  • 12. goals? IV. Impact: In this section, you will discuss the possible impacts of applicable cybersecurity regulations to the business or organization. Specifically, you should: A. Application: Describe the government and industry regulations that apply to the business or organization in relation to the security breach. For example, what legislation, directives, and policies relate to the security breach? B. Impact: How do these regulations impact the business or organization and its information security? Support your response with specific examples. C. Financial and Legal Implications: Discuss possible financial and legal implications of the security breach for the business or organization. Will the business or organization be subject to any fines or sanctions because of the security breach, for example? V. Security Test Plan: In this section, you will develop a security test plan for the breached system, basing your plan on your analysis of the security breach and established cybersecurity standards such as those from the National Institute of Standards and Technology (NIST). Specifically, you should: A. Scope: Determine the scope of the risk assessment. For example, what assets, threats, and vulnerabilities will need to be addressed? Will the risk assessment need to include networks, applications, or physical security systems? What policies and procedures will need to be reviewed? B. Resources: Document the resources required for the risk assessment. In other words, what do you need to actually do the assessment? C. Hardware and Software: Create a list of system hardware and software within the target of the risk assessment. In other words, what are the parts of the system that you are assessing? D. Tools: Determine the necessary tools for the risk assessment, based the list of system hardware and software you created. VI. Risk Mitigation: In this section, you will create security
  • 13. controls to ensure that the breach will not reoccur. Specifically, you should: A. Security Controls: Create at least five security controls that mitigate future risks by ensuring that the security breach will not reoccur. These controls can be technical, administrative, or personnel security controls, for example. B. Vulnerabilities: How will the security controls you created mitigate risks by reducing application, website, and network vulnerabilities? C. Evaluation: What are the criteria for measuring the controls to ensure they are properly implemented? In other words, how will the security controls be evaluated? VII. Conclusion: In this section, you will recommend methods to reduce the impact of organizational culture and communication challenges. Specifically, you should: A. Communication: Document interpersonal communication issues encountered within the risk assessment team. How were the issues resolved? B. Organizational Culture: What challenges to organizational culture occurred as a result of the security breach? In your response, consider the impact of the security breach on the reputation of the business or organization. C. Recommendations: What methods can you recommend to reduce the impact of these communication and organizational cultural issues in future risk assessments? Milestones Milestone One: Kickoff Agenda In Module Three, you will submit a kickoff agenda. This milestone will be graded with the Milestone One Rubric. Milestone Two: Test Plan In Module Five, you will submit a test plan. This milestone will be graded with the Milestone Two Rubric. Milestone Three: Incident Response Plan In Module Seven, you
  • 14. will submit an incident response plan. This milestone will be graded with the Milestone Three Rubric. Final Submission: Security Breach Analysis and Recommendations In Module Nine, you will submit your final project. It should be a complete, polished artifact containing all of the critical elements of the final product. It should reflect the incorporation of feedback gained throughout the course. It should also be structured to follow the outline presented in the Prompt. This submission will be graded with the Final Project Rubric (below). ISE 510 Security Risk Analysis & Plan Security Breach Analysis and Recommendations Milestone 2: Test Plan <Last Name, First Name> Due <DATE> Submitted on <DATE> If late let me know why: ===================================== Delete these instructions in blue font before submission: Change file name to MS#2_LAST_FIRST A few comments up front: Assume you and your team are hired by Limetree as an IT Security consultant to analyze the breach, determine the vulnerabilities, and make recommendations for an extensive security program to include policies, controls, enforcement of controls, and continuous monitoring, all for the purpose of reducing information system risk to an acceptable level.
  • 15. You will need to look up ONE of the Risk Methodologies listed in the Reference section. Some are easier than others! So look at a few and then decide which one you like. If you want to use another one, just let me know. If you have any questions, please let me know as soon as possible. Introduction a) Introduce your company (Limetree) and state its capabilities. It’s good business communication practice to double-check assumptions and verbal correspondence. I would copy the background section from final project scenario and make changes as needed. b) State your goal for the security breach analysis project. Whatever you write as the goal should be connected to the scope below. Remember, we are in a Risk Assessment and Planning class – so you should include how ‘risk’ fits into the goal(s). Scope a) Define the scope of the project. From a Project Management perspective, the scope is the boundary of the project and specifies what aspects will be included and which aspects are not included. From a cybersecurity perspective, we’re interested in IT systems, facilities, people, cybersecurity procedures and policies; threats and vulnerabilities as mentioned in the Surefire Game or THE BREACH supplemental document. Here are some ideas: Answer these questions in essay format: a) What is the primary reason Limetree is performing this activity?
  • 16. b) What will the Security Breach Analysis and Recommendations report going to produce? (look back at goals) c) What were the major threats and vulnerabilities described in the Agent Surefire Game? d) What were the major threats and vulnerabilities described in THE BREACH supplemental document? e) Any limitations or constraints? f) How long will it take? (should be less than a month – you can answer this after you complete ‘Timeline and Benchmarks’ below) g) About how much will it cost? (you can answer this after you complete ‘Timeline and Benchmarks’ below) Remember that the title of the Final Project is "Security Breach Analysis and Recommendations" so, keep the discussion to that. Hardware and Software: a) Create a list of hardware and software present. Just list the hardware and software found throughout the Final Project Scenario and the Breach description. Resources: a) Determine resources required with brief explanation of why each is required (e.g., internet access, computers, additional personnel). These are the resources needed to complete the Security Breach Analysis and Recommendations Report (i.e. our Final Project). Here are the main three types of resources (you can add more if you want): List the Job titles of the team members and what skill-level – team members and their skills, certifications, and experience. How much does each member cost per hour. List the Hardware & Software – What special hardware or
  • 17. software; any licenses or subscriptions required; like a penetration test suite. List the Special tools –forensic hard drive duplicators; wireless detection scanners etc. Hint: A team of 5 would be too large, and a team of 1 is too small. Timeline and Benchmarks: a) Discuss your timeline for the project (how long it will take and why). This can be a bulleted list of the major tasks to be completed (No more than 6 major tasks); under each bullet give a short description. You can list out the tasks and their description like a Project Manager would. Also, on each bullet, estimate the number of man-hours required to complete each major task. Example: 3 people working 5 days at 40 hours per week is 3 x 40 = 120 man-hours. EXAMPLE: 1. KICK-OFF Meeting. The kick-off meeting serves as an opportunity to discuss the organizational structure, introduction of the team to senior leaders and IT staff, reviews the facts of the breach, and defines the scope of the project. Approximately 3 team members, for 2 hours is 6 man-hours. b) Discuss what regulatory benchmark you will be using to make vulnerability determination. Here is an example of what this question is looking for: The regulatory benchmark that will be used in the vulnerability determination is the OCTAVE Allegro methodology (Caralli, Stevens, Young, & Wilson, 2007). The original OCTAVE methodology was developed by the Software Engineering Institute (SEI) at Carnegie Mellon University in 1999. Since
  • 18. then several versions have been developed, and in June 2007, SEI introduced the OCTAVE Allegro methodology. Any of the risk methods listed in the References (at the end of this document) will be acceptable! Or, if you have a risk method you’d like to use, just let me know. Approach: a) State your approach Here is an example of what this question is looking for: The OCTAVE Allegro methodology uses an 8-step process for conducting a risk assessment. These are 1) establish risk measurement criteria; 2) Develop an Information Asset Profile; 3) Identify Information Asset Containers 4) Identify Areas of Concern; 5) Identify Threat Scenarios; 6) Identify Risks; 7) Analyze Risks; and 8) Select Mitigation Approach. OCTAVE Allegro methodology uses questionnaires, worksheets, checklists, and templates to guide the risk assessor through the 8-step process. b) Define how you will categorize your findings (Example: low, medium, high) Here is an example of what this question is looking for: The OCTAVE Allegro methodology uses three categories to evaluate the probability of a threat exploiting a vulnerability – High, Medium, and Low. The final risk score is determined by a relative risk score, which considers a qualitative risk probability (high, medium, low) combined with a prioritized impact level, taking into consideration the organizations’ criteria. References
  • 19. Add your reference here Have at least 3 or more references. Delete those references that you did not use. Caralli, R. A., Stevens, J. F., Young, L. R., & Wilson, W. R. (2007). Introducing octave allegro: Improving the information security risk assessment process (No. CMU/SEI-2007-TR-012). Carnegie-Mellon Univ Pittsburgh Software Engineering Institute. Retrieved from http://www.dtic.mil/cgi- bin/GetTRDoc?Location=U2&doc=GetTRDoc.pdf&AD=ADA47 0450 CORAS, (2015). The CORAS Method. Retrieved from http://coras.sourceforge.net/ NIST SP 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach. Retrieved from http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37- rev1-final.pdf NIST SP 800-39 (2011). Managing Information Security Risk: Organization, Mission, and Information System View. Retrieved from http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublicatio n800-39.pdf Stoneburner, G., Goguen, A. Y., & Feringa, A. (2002). NIST SP 800-30: Risk management guide for information technology systems. Retrieved from http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
  • 20. 5