CMIT 421 UMGC Threat Management & Vulnerability Mitigation PPT
CMIT 421June 28, 2021
AGENDA
Main Point #1
Main Point #2
Main Point #3
Main Point #4
Logistics through innovation, dedication, and technology – MERCURY USA Delivers!
2
1: OUR BUSINESS CASE
▪ What are the important factors about the business?
▪ What is the CEO’s intent and guidance?
▪ How do the first two items relate to the next slides?
▪ Example sub-bullet #1
▪ Example sub-bullet #2
▪ Example sub-bullet #3
Logistics through innovation, dedication, and technology – MERCURY USA Delivers!
3
2: OUR SECURITY POSTURE
▪ What are the most important vulnerabilities discovered?
▪ What is our exposure to known threats?
▪ How did you link the results to the business?
▪ Transportation industry hit hard by ransomware attacks
▪ Example #1: Use your findings and conduct research [1]
▪ Example #2: Use your findings and conduct research
Logistics through innovation, dedication, and technology – MERCURY USA Delivers!
4
3: OUR VM PROCESS
A
F
B
E
C
D
Logistics through innovation, dedication, and technology – MERCURY USA Delivers!
5
4A: WE NEED A GOOD SCANNER
▪ Reviewed scanners
▪ is recommended due to several factors
▪ Sub-bullet #1
▪ Sub-bullet #2
▪ Sub-bullet #3
▪ Sub-bullet #4
Logistics through innovation, dedication, and technology – MERCURY USA Delivers!
6
4B: THE ASK
▪ Lead-in bullet
▪ Sub-bullet #1
▪ Purchase :
▪ Cost
▪ Manpower
▪ Measures of success
Logistics through innovation, dedication, and technology – MERCURY USA Delivers!
7
SUMMARY
▪ Main Point 1
▪ Main Point 2
▪ Main Point 3
▪ Main Point 4
Logistics through innovation, dedication, and technology – MERCURY USA Delivers!
8
EXECUTIVE DISCUSSION & QUESTIONS
REFERENCES
[1] A. Greenberg, “The Untold Story of NotPetya, the Most Devastating Cyberattack in History”, Wired, 2020. [Online]. Available:
https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/. [Accessed: 19- May- 2020].
[2] “Nessus Pro”, Tenable.com, 2020. [Online]. Available: https://www.tenable.com/products/nessus. [Accessed: 19- May- 2020].
10
Presentation
Instructions
Remember to be clear about what action you are recommending. Executive management will want to
understand not only what you discovered, but also what you propose as a solution. The company’s
leaders will want to know what decisions they need to make based on your findings. Give them the
actionable information they need to decide.
You may want to review these presentation resources to help you with your narrated presentation. You
will provide voice annotation for all slides in the following format:
•
five to 10 slides maximum; limit bullets to no more than six per slide
•
voice annotation for every slide (excluding the reference slide)
•
a reference slide with one to two quality sources
Remember to delete the instructional text from the template
before you submit.
How Will My Work Be Evaluated?
You may find yourself making presentations to customers, client audiences, and management. By
summarizing your results and recommendations to management in an effective presentation, you are
demonstrating how you use your technical knowledge to convey your ideas to others in a professional
setting. Your ability to express your recommendations to provide information for decision makers in a
format that uses the right mix of technical detail in a business context is an important workplace and
career skill.
The following evaluation criteria aligned to the competencies will be used to grade your assignment:
•
1.2.2: Employ a format, style, and tone appropriate to the audience, context, and goal.
•
1.3.3: Integrate appropriate credible sources to illustrate and validate ideas.
•
2.1.3: Explain the significance of the issue or problem.
•
12.3.2: Describe the implementation of controls.
•
12.8.1: Recognize the process to obtain approval from the business process owner.
•
13.2.1: Evaluate vendor recommendations in the context of organization requirements.
MEMO
06/01/2021
Recommendations:
Overview
The vulnerability scan conducted through the assessment of the organization established that
there are different cases of violation of cyber actions. After evaluation of the outcomes of the
vulnerability scan, this memo has been effectively outlined to help in addressing different issues
affecting operations of Mercury USA. First, this memo will propose the Vulnerability
Management (VM) procedure modified to Mercury USA. Secondly, this memo aims at
addressing the excellence of the vulnerability’s scan outcome. In the end, this memo will offer
the reasonable grounds that Mercury USA might potentially fall prey to if specific proposals are
not attained (Akram & Ping, 2020). Various concerns were recorded by management to have
negative impacts on the operations of Mercury USA. Such concerns makes senior
administrators accountable to offer a viable solution on how to deal with cases like Wannacry.
Part 1: Vulnerability Management (VM) Recommendation Procedure
For effective implementation of the practical process of VM, the management of Mercury USA
needs to ensure that set laws can be used to enhance its operations. The present structure
appropriate to Mercury USA is the Card Industry of Payment for Data Security Standard (PCIDSS). The most current version of the card used for payment of data protection value is PCSDSS v3.1, which is the most recent version initiated in 2015. The card also helps in improving
protection of data among the cardholders. After guaranteeing fulfillment with PCI-DSS, Mercury
USA can then commence the creation of the company’s strategies. The company can focus on
organizing information based on its compassion to ensure it is secured at an adequate degree
(Mierzwińska-Hajnos, 2017). The case classification system could be proprietary, community,
and private. Classification of system based on communal aspects remains to be sensitive and
confidential as it makes data to be more accessible.
There is a need to consider technological assets used by the company in dealing with VM
recommendations. The idea helps in assessing data through quantitative along with the
qualitative assessment of risk. After conducting a thorough risk evaluation, the possessions
seem to be vital and can be given the first opportunity to find their effect on Mercury USA’s
operations. Besides assessing the existing susceptibilities of different controls, susceptibility
scans need to be done at predestinated gaps (Jagodzińska, 2019). To conform to PCI-DSS
needs, Mercury USA must scan at least after every three months. The vulnerability scan
executed should be done through the utilization of qualifications. The use of qualification during
the execution of a vulnerability scan may be lengthier than the non-credential scan. The use of
credential checks is more comprehensive and produces excellent outcomes during the process
of scanning. Owing to the figure of vendors’ attaches released and persistent advancement of
cyber-threats, it is recommended that credentialed scans of vulnerability need to be
implemented monthly.
Following the study at different free alongside paid vulnerability network scanners, Nessus
professionals have established compelling accounts of effective scanning devices. The tools are
effective in generating thorough scan outcomes. While Nessus expert is not accessible, the
charge is justified when considering different potential losses from the cyber-attack. On
recommendations and results, the accounts can recognize the susceptibilities that have the
essential danger to Mercury USA (Akram & Ping, 2020). Different scientific reports are created
to offer comprehensive outcomes to associates of the information technology sector.
Management accounts can provide executives within the Mercury USA with vital facts alongside
the catalog of suggestions they can handle when developing choices.
Part 2: Vulnerability scanning device Evaluation alongside Recommendations
After assessing the scan outcomes offered by the arbitrator source, it has been resolute that the
scrutiny performed was unsuitable. The device utilized was OpenVAS, which is the Linux-based
scanning device that is always broadly used. The device can offer comprehensive outcomes of
presented vulnerability when used well, yet within venture settings (Mierzwińska-Hajnos, 2017).
As OpenVAS is free, unlock scanner basis, it plunges short within different sectors in contrast to
Nessus. OpenVAS fails to provide effective scanning as several Common Vulnerabilities
Exposures (CVEs) do not sustain fewer working scheme inspections nor offer suggestions to
policy administration.
The offered examined account only searched a single host IP deal that continued for three
minutes with just recognized four vulnerabilities (Jagodzińska, 2019). The effective susceptibility
scan can be obtained about sixty minutes or more to execute, relying on the quantity of outcome
alongside suggestions of this scrutiny. Our team cannot confirm that the most severe
susceptibilities have been recognized. Hence, this account should not be offered to the
administration since it fails to precisely or adequately display the present condition of the
infrastructure of the network of Mercury USA (Galuzin, 2020). It is suggested that Mercury USA
buys the software of Nessus and enable the Mercury USA team to execute susceptibility scans.
From the results accumulated and evaluated, the compelling account can be outlined and
offered to our managers.
Part 3: Business Case Instance
Provided ever-evolving and persistent dangers established by the cyber-assailants, we sense it
is essential to offer the instance of things that occurs to Mercury USA within the incident of the
assault. While our manager is conscious of the present rival’s recent occurrence, we believed
our competition would recuperate from the ransomware assault. Besides, Mercury USA might
not be as lucky as other corporations in dealing with competition. Through the indefinite security
attitude of the network system, it is impractical to assert with the assurance that attacks are
secured during operations. Hackers might attain illegal access to the most responsive data files
and remove them from the organization (Galuzin, 2020). Such ideas could include bank’s
records, information on credit card, alongside individually recognized data of workers and
clients. After the removal of such susceptible information, hackers might then demand
ransomware that might encrypt various files and stop managers from having admission to them
at any moment (Nicho, 2018). Additionally, the VM process aims at creating and implementing
the extensive methodology of recognizing critical assists, suitable scanning to those assets for
vulnerabilities through the use of Nessus and the technique. Such techniques help in providing
the people with significant details of individual accounts. The accounts help in making decisions
made to mitigate any dangers. Nessus is the essential device needed to guarantee that process
of VM is workable.
Closing
To ensure Mercury USA sustains the firm safety attitude against cyber pressure, the workers
and stakeholders involved in its operations need to move quickly to execute the process of VM.
The occurrence instance discussed above is just among several possible assaults that
cybercriminals might achieve. By establishing the structure from joining the values set by the
system along those created through the organization, managers can then perform frequent
vulnerability scans. Conducting these scans with a highly attainable device like Nessus can help
in enhancing the organization’s security posture by recognizing and recommending solutions for
vulnerabilities within the network’s infrastructure. Mercury USA can persist in operating as the
premier provider within transport service for the current and prospective clients by lessening
potential attack vectors.
Best Wishes.
Samuel Obasanya
Cyber security Threat Analyst
Mercury USA
References
“Chapter 5: Implementing an Information Security Vulnerability Management Process”, Pearson
CompTIA Cybersecurity Analyst (CySA+), 2020. [Online]. Available:
Akram, J., & Ping, L. (2020). How to build a vulnerability benchmark to overcome cyber security
attacks. IET Information Security, 14(1), 60-71. doi: 10.1049/iet-ifs.2018.5647
Galuzin, I. (2020). Vulnerability management and vulnerability assessment as a means of
cybersecurity. Modern Information Security. doi: 10.31673/2409-7292.2020.032933
https://www.ucertify.com/. [Accessed: 28- Apr- 2020].
Jagodzińska, N. (2019). Implementing Information Security Management Systems in Transport
Industry Organizations. Transport Economics And Logistics, 82, 79-90. doi:
10.26881/etil.2019.82.07
Mierzwińska-Hajnos, A. (2017). LEXICAL VS CONCEPTUAL BLENDS: HOW TO RECONCILE
THE TWO?. Acta Neophilologica, 1(XIX), 55-68. doi: 10.31648/an.669
Nicho, M. (2018). A process model for implementing information systems security governance.
Information & Computer Security, 26(1), 10-38. doi: 10.1108/ics-07-2016-0061
VM Scanner Background Report
CMIT 421 Threat Management and Vulnerability Assessment
Introduction
The complexity and frequency of cyberattacks are increasing, and the risk of business in
the US and across the globe is growing. Studies indicate that every year, up to 80 % of a large
business and 60% of the small enterprise suffer cyberattacks. Internet growth has affected the
rapid increase in cybercrime. Since the introduction of the internet, the proportion of web users
across the globe has tremendously grown. In the coming years, the number of interconnected
devices across the globe will surpass that of human beings.
Threat awareness and probable outcomes of the same have found their way into the
boardroom, with cyber risk and the risks to essential infrastructure climbing to the top five
concerns globally. Research suggests that customers and shareholders are characterized by an
expectation that companies will conduct a thorough evaluation of cyber risks that may affect the
business. The level of damage that cyberattacks can have on an organization’s reputation, profit,
competitive position, brand, and operational ability can be regrettable. Nonetheless, some
organizations remain unprepared for the same. It is, therefore, time that organizations understood
the risks they face and implement effective measures to cushion their business against the impact
of cyber risks. In this regard, this paper attempts to carry conduct a cyber risk analysis for
Mercury USA.
Part 1: Nessus Vulnerability Report Analysis
It is inappropriate to distribute the report on Mercury USA’s potential
vulnerabilities as it is currently composed because there is a need to interpret the report.
The report is not self-explanatory, and thus there is a need to attach meaning before
sending it to management. In addition, it is important to consider the expertise and
educational background of the management and the possibility of then lacking any
knowledge of the technical issues that the report reveals. Thus, interpreting the report and
teaching meaning to every aspect of the report would provide a significant revelation on
the key issues that the management needs to prioritize and the significance of every
recommendation to reduce the potential vulnerabilities that Mercury USA faces.
My overall impression of the tool’s output is that it is easy to interpret, wellorganized, and includes enough detail in the vulnerability analysis report. The detail
provided in the report is not too much but rather sufficient for an effective and accurate
interpretation of the company’s vulnerabilities.
The vulnerability analysis tool used in this report provides enough reporting detail
for an analyst to focus on the pertinent threats and vulnerabilities for Mercury USA. For
instance, the tool provides reports on the presence of data corruption, loss or deletion,
data compromise resulting in the breach of third-party confidential data and personal
data, cyber espionage, and corruption of IT systems and networks are increasingly
becoming the epicenter of cyberattacks in the transport industry. Additionally, since more
control systems and devices are connected via the internet, there will be more
vulnerabilities, increasing the probability of damage to physical assets.
From the vulnerability report given by the vulnerability assessment tool, the three
most important vulnerabilities in this system for Mercury USA are the vulnerabilities
with high severity on the privacy of data, data breach, and possible hacking of emails
that are associated with big volumes of data flowing across systems.
These three vulnerabilities are the most critical because they have a critical
severity vulnerability. Linux system that is associated with the transport networks
which are increasingly becoming digital. The vulnerability report provides enough
information that can help address and mitigate the three most important vulnerabilities
because it illustrates that the steps for remediation begin with monitoring and tracking
both physical and digital networks. Therefore, it places Mercury Systems at the center of
organizations that various intruders can attack.
Part 2: The Business Case
The overall assessment of Mercury USA’s overall current security posture is that it is
highly exposed to cybersecurity and vulnerabilities and threats that could potentially. Mercury
Systems is characterized by interconnected data systems that flow via the value chain, especially
prone to these attacks (Kumar & Xu, 2017). Additionally, the company is facing a potential
cyberattack disrupting physical networks having serious business implications. The information
in the vulnerability scans that supports my assessment of the level of cybersecurity exposure of
Mercury Solution Inc. is that the vulnerabilities with high severity.
Based on the vulnerabilities present in the reports and the information available about
them, Mercury USA, as a key player in the production of aerospace and defense programs, may
be easily a target for scammers in terms of its critical products, technology, and critical
customers. The at-risk systems are used to control the movement of trains, power delivery to
networks, signal infrastructure control, and operational planning and timetabling. Being a
provider of important national infrastructure, Mercury USA may target various whose intention
is to cause disruption, besides hackers, disgruntled staff, and organized criminals. The threats
that an adversary might try to use against the organization to exfiltrate data is; the development
of electronic and communication platforms in various physical and electronic networks, which
complicates the chances of detecting any suspected activities and raising serious concerns
potential of disruptions.
Part 3: Nessus Purchase Recommendation
The overall presentation and scoring features of the Nessus commercial vulnerability
scanner are adequate for technical professionals because the increasing use of product tracking
systems and real-time control systems with web interfaces requires such an effective and
accurate vulnerability scanning tool. Again, the vulnerability scanning tool results are efficient
for an organization such as Mercury USA that needs resilience and safety compared to the
protection of customer information.
The Nessus vulnerability scanning tool can help Mercury USA comply with regulatory
and standards requirements by demanding that pilot training and practices are optimized so that
that they can easily adapt in the event of a security breach through cyberattacks (Coffey et al.,
2018). In addition, the key components of the Nessus report outline the potential sources of
information for developing and supporting ideas that would guide the routine evaluation of
their systems and networks. As a result, Mercury USA will effectively establish the potential
cybersecurity vulnerabilities and then put in place prevention measures and policies to prevent
data breaches (Radanliev et al., 2018).
The cost of Nessus is $423 per year but worth the investment because the increasing
use of product tracking systems, as well as real-time control systems with web interfaces, again
results in an increased number of vulnerabilities when it comes to management across a large
supplier base. However, the tool’s usability, support, and efficacy warrant the cost because it is
easy and interoperable across networks. It can be configured to both LAN and WAN, thus
giving users ease of access and navigation. The major scoring features are adaptability, ease
of updates, and availability of more alternatives.
The Nessus report is suitable for management; it covers a wide scope of applications such
as recommending data security policies, response plans, company staff tasked with intervening in
case of such attacks. And strategies for handling the whole issue of prevention and responding to
such attacks. Regardless of the level of security the company may put in place, cybercriminals
will always attempt to gain access to company systems and networks. To address effectively
address any incident of data breach General Data Protection Regulation holds that companies
Mercury USA should report such incidence to relevant agencies within 72 hours of the breach
(Coffey et al., 2018).
I would recommend that Mercury USA purchase the tool because it will help the
organization to conduct a proper evaluation of their staff to mitigate the possibility of internal
threats. It should also be complemented with proper training concerning the importance of data
security.
Conclusion
Players in the transport industry, like Mercury USA, should put in place certain
acceptable security measures to ensure compliance. To begin, these cyber attackers find their
way to organizations through their networks, systems, and sometimes through employees who
are negligent, disgruntled, or ignorant of security measures. It is therefore imperative that various
Mercury USA put in place computer and device inventory with the capability of determining
what one owns and its location (Mantha & de Soto, 2019). Secondly, Mercury USA should do
software updates regularly and correctly install security requirements.
Third, Mercury USA should make it a routine to use strong login IDs and passwords and
ensure they are periodically changed. The company should also avoid using default login
credentials, which any individual should not share. Fourth, because scammers will always try to
invade, Mercury USA should ensure they have firewalls that separate systems, networks, and the
internet. Besides, they should always segment these networks and provide access to the section
of the network-specific employees who are granted access to limit internal threats (Radanliev et
al., 2018). In essence, to ensure the security of sensitive data, the company should always be
encrypted. The company should also put in place necessary measures to monitor or restrict thirdparty and vendor networks. Based on the above recommendations, it would be prudent that
Mercury USA purchases the Nessus tool to help address cybersecurity concerns.
References
[1] Coffey, K., Maglaras, L. A., Smith, R., Janicke, H., Ferrag, M. A., Derhab, A., … &
Yousaf, A. (2018). Vulnerability assessment of cybersecurity for SCADA systems. In
Guide to Vulnerability Analysis for Computer Networks and Systems (pp. 59-80).
Springer, Cham.
[2] Kumar, S. A., & Xu, B. (2017, June). Vulnerability assessment for security in aviation
cyber-physical systems. In 2017 IEEE 4th International Conference on Cyber Security
and Cloud Computing (CSCloud) (pp. 145-150). IEEE.
[3] Mantha, B. R., & de Soto, B. G. (2019). Cybersecurity challenges and vulnerability
assessment in the construction industry.
[4] Radanliev, P., De Roure, D., Cannady, S., Montalvo, R. M., Nicolescu, R., & Huth, M.
(2018). The economic impact of IoT cyber risk-analyzing past and present to predict
future developments in IoT risk analysis and IoT cyber insurance. Available at
https://digital-library.theiet.org/content/conferences/10.1049/cp.2018.0003
[5] Robinson, R. M., Ezell, B., Foytik, P., & Jordan, C. (2013). Cyber Risk to Transportation
Industrial Control Systems. Cyber Security and Systems Information Analysis, 1(4), 2-8.
Available at https://www.csiac.org/wpcontent/uploads/2016/02/CSIAC_V1N4_FINAL_2.pdf#page=2
[6] Tam, K., & Jones, K. (2018, June). Cyber-risk assessment for autonomous ships. In 2018
International Conference on Cyber Security and Protection of Digital Services (Cyber
Security) (pp. 1-8). IEEE. Available at
https://ieeexplore.ieee.org/abstract/document/8560690
