Kibata

Sign In

Our Services

Get 15% Discount on your First Order

Order Now
[rank_math_breadcrumb]

Security Recommendations Reports

security recommendation for this attached document

Project Name

Group 2

University of Maryland Global Campus


ITEC 610 9041 Information Technology Foundations (2245)

Professor Tanis Stewart

June 24, 2024

1.
Setting and Situation

The Bureau of Research and Intelligence (BRI) is entrusted with the crucial responsibility of giving American diplomats intelligence from various sources, while strictly adhering to U.S. foreign policy and maintaining the utmost confidentiality. As advancements in technology emerge, new security and threats are presented.

BRI has encountered several significant breaches and challenges, which are as follows:

1. Network Compromise: State-sponsored hackers targeted BRI’s network, successfully gaining unauthorized access to sensitive intelligence data.

2. Misuse of Personal Email: The bureau chief utilized personal email for official purposes, thereby jeopardizing the exposure of sensitive information to potential risks.

3. HR System Breach: A flaw in the HR system allowed authorized individuals to access employees’ personal information. Unfortunately, the cause of this breach remains undetermined and unresolved.

4. Stolen Laptop: A teleworker’s laptop, containing classified information, was stolen and remains unrecovered, posing a significant security concern.

5. Contractor Leak: A contractor leaked classified documents, thereby exposing confidential communication between diplomats and the President, which is highly sensitive.

6. Malware Infection: Computers within various foreign embassies fell victim to malware infections, resulting in security risks and causing public embarrassment for the affected parties.

As a result of these reports, the U.S. Accountability Office conducted a thorough examination of BRI’s information security, and several vulnerabilities were identified:

Identification and Authentication Controls

It was discovered that the passwords in use were short and did not have an expiration date, making them the sole means of authentication. This posed a significant risk as it increased the likelihood of unauthorized access to sensitive data.

Authorization Controls

The access privileges granted to users were excessive, and the management of databases was poorly executed, with all operations being carried out under single accounts. This lack of proper oversight and control created an environment where potential breaches could occur undetected.

Data Security

It was observed that data-at-rest was not encrypted, leaving sensitive information vulnerable to unauthorized access. This lack of encryption meant that even unclassified databases could potentially be exploited to derive sensitive information.

System Security

The utilization of outdated WEP standards posed a significant risk. This allowed personal devices to connect to the network, potentially compromising the security of the entire system.

Additionally, it was found that BRI lacked comprehensive plans for incident recovery. This absence of a clear strategy, coupled with infested security controls and inconsistent patching, left the organization susceptible to prolonged disruptions and potential data breaches.

Physical Security

Unauthorized personnel gained access to secure areas, and former employees retained access privileges even after leaving the organization. This lack of proper access management and control further increased the risk of unauthorized access and potential data breaches.

End User Security

It was noted that security training provided to employees was minimal, and the use of social media was allowed in restricted areas. Additionally, public cloud services were utilized for data storage, which introduced additional security concerns. Furthermore, there were no ongoing background checks or policies in place for handling classified information, leaving the organization vulnerable to insider threats.

2.
Risk Assessment Methodology

There have been some high-profile security incidents at the Bureau of Research and Intelligence. Therefore, a comprehensive risk assessment had to be conducted. The methodology followed by the IT security consultant team in this regard conforms to what has been laid down by the National Institute of Standards and Technology. It represents a structured way of identifying, evaluating, and prioritizing risks to enhance the overall security posture at BRI.

The risk assessment methodology was based on NIST’s “Guide for Conducting Risk Assessments” (Special Publication 800-30). This framework provided a structured process to assess and manage risks, thus ensuring that all factors within BRI’s information technology environment were adequately reviewed. The methodology started with the setup phase, which included the definition of the purpose, scope, assumptions, and assessment constraints. The key objective of the exercise was to identify security risks that could have been used to compromise the functions and properties of BRI. The scope of risk assessment was quite extensive as it covered all IT systems and processes within BRI. Nevertheless, areas primarily attacked in the past, according to recent incidents, were the significant targets, while constraints included limited time and access.

Various critical activities were at the center of the risk assessment process. First, there was the identification of threats. Sources had to be identified that could act as a weakness to the vulnerabilities existing within BRI’s IT environment. This would entail nation-state actors, insider threats, and external hackers. So, sources of those threats had to be pointed out to better understand the different avenues through which BRI’s security could be jeopardized.

The group then went on to target the vulnerabilities within the IT infrastructure of BRI. Among them were weak password policies, overprivileged users, no data-at-rest encryption, and outdated security protocols that enhanced unauthorized access and exposed the threat of breaches. Analysis of these weaknesses helped the team identify where BRI’s security defenses were most vulnerable. The team then analyzed the possible impact that could have been the case upon the exploitation of these vulnerabilities and threats identified. This includes impacts such as data breaches, loss of sensitive information, and operational disruptions in BRI activities. Knowledge of the extent to which such impacts are necessary for risk prioritization.

The next step was the likelihood assessment of each identified threat that would potentially exploit a vulnerability. The assessment considers the historical data, aggregates threat vectors from intelligence, and assesses the current security posture in BRI. The joining of these two independent assessments, impact and likelihood assessments, gave a comprehensive overview of the possible Stygian threats against the IT setup deployed in BRI. As such, the team could review and prioritize those risks that needed immediate attention.

Subsequently, the assessment results were documented and detailed reports were prepared that gave directions and recommendations for all identified risks and their possible impacts and mitigation strategies. This report is to be presented to relevant parties so that they are informed of these security risks and how much effort each one needs to put in to handle them effectively.

The risk assessment methodology underpinned several essential reference materials and resources. The chief resource was the NIST publications, which presented a number of risk management principles and frameworks, ensuring the methodology’s conformance to industry standards. The SANS Reading Room provided a good volume covering white papers on different aspects of information technology security, which gave insight into the latest security trends and best practices. Publications and alerts from the United States Computer Emergency Readiness Team were also quite enlightening about new and emerging threats and vulnerabilities. Other sources, including CSO Magazine, Information Security Magazine, and Homeland Security News Wire, were tapped for updates and other information to keep the risk assessment framework current and relevant.

3. Risk Assessment Plan

4. Risk Assessment Findings

5. Security Recommendations Reports

6. Conclusion

Reference:

Stewart, T. (2024, June). ITEC 610 PROJECT DESCRIPTIONS: IT Security Risk Assessment. Reading.

Share This Post

Email
WhatsApp
Facebook
Twitter
LinkedIn
Pinterest
Reddit

Order a Similar Paper and get 15% Discount on your First Order

Order Now

Related Questions

SLP 2 – 25

I need help with my homework assignment!  Module 2 – SLP IT Services and Cloud Computing If Cloud computing is the greatest thing for business since sliced bread, then by extension, it certainly ought to be the greatest thing for education since chalk. In point of fact, a relatively large

Case 2 – 25

Need help please Module 2 – Case IT Services and Cloud Computing Assignment Overview The Case Assignment for this module involves thinking systematically about the IT services movement in general and about cloud computing as a particular instance of that approach. You will start by reviewing a number of sources

SLP 1 – 25

Need help with my homework Module 1 – SLP Web 2.0 and Social Networks The purpose of the Session Long Project in Trident University classes is to give you the opportunity to explore the applicability of the module to your own life, work, and place in space and time, and

Case 1 – 25

I need help with my homework please.  Module 1 – Case Web 2.0 and Social Networks Assignment Overview In this Case Assignment, you are exploring the technological underpinnings of the Internet. The objective of this Case is to better understand the evolution of the Web from Web 1.0 and Web

SP DB

See attached. In your own words, please discuss a cybersecurity policy with which you are familiar. The example can come from work, school, or a business relationship. You can also research organizational policies posted online. Give a brief description of the policy. What is the purpose and value of the

Changes in existing interview question for Info I’m attaching th topic

Topic:   Enhancing Cybersecurity in IoT Networks: A Comprehensive Study on Threat Detection and Mitigation Strategies · Details about the research (Background, methodology, research questions) · ·  The rapid proliferation of IoT devices has opened up new avenues for cyber threats. Securing these devices has become increasingly complicated, as over 75 billion

Active directory automation

Need help to get an assignment done. Requirements are VMware, windows server core (not the full GUI). PowerShell Automation for Active Directory Submission Template Screenshot 1 Onboarding New Users from CSV Single screenshot showing: Script output (e.g. “Created user: jdoe”). Get-ADUser results for those SamAccountNames. Your custom prompt (server name

HIMS 11

  Assignment Instructions:  Using the Patient Healthcare Data in the attached Excel file (attached below), construct a 3-D Clustered Column Chart depicting the three healthcare parameters (weight, height, age), and title this chart ” Patient Healthcare Data” at the top center and show Legend at the bottom. After reviewing the

Governance, Ethics, and Security

 Assume the role of an IT security consultant who has been contacted by a company to provide them with a written code of IT conduct for its employees and a security policy for the firm. In preparation for undertaking this large job, prepare a proposal explaining what topics you will

Cloud-Based Management and Analytics

Final Project Topic: (5 pages research paper) Topic: Data Management and Analytics: Explore how enterprises use cloud-based data management and analytics tools to drive business decisions and gain competitive advantages. Competitive advantages through cloud analytics: Citation: Cooper, A. (2020). How Netflix Uses Big Data and Analytics to Drive Success. Forbes.

Powtoon commercial

see attached file Powtoon Commercial Project Do not pay for anything on this site! Learning animation can be very challenging yet very fun. Navigate to the Powtoon website, click Pricing in the top menu, scroll down, and click FREE Start Now $0 free. Create an account if you do not

HIMS W12D12

 What is Big Data in healthcare? How is it generated in a typical healthcare facility, like a hospital? What two common formats are used, and what are the advantages and disadvantages of each? How is this data used for unraveling hidden trends, strategic planning, and operational decision-making?  What are the

INFA W12D12

  In the discussion this week, you and your peers are asked to consider and discuss information security career pathways relevant to your personal goals and career plans. Where are you currently in your career? What is the next level up or sideways for you in your desired career field?

CASE 4 – 40

i need help please Module 4 – Case Database Systems and Knowledge Base Assignment Overview The Case Assignment for this module considers the emerging and important trend toward what is called “open-source software.” The Background Information contains material regarding this movement; its effect is being felt in many different areas

SLP 4 -40

I need help Module 4 – SLP Database Systems and Knowledge Base Go to  Kaggle.com  and register with any one of your email addresses. Kaggle is a open-source data repository often used in Data Analytics to practice with datasets. Go to this  Kaggle dataset  that has 9,514 movies on Netflix,

Information Systems Book Assignment

IS 373 Book Chapter Review Project Goal: CHAPTER 2 Each student will be assigned one chapter from the following eBook by the instructor. The student should study the chapter carefully and in depth and do extra research to ensure his/her dominance on all of the concepts in the chapter. The

Module 03 Course Project – Network Diagram, Procurement Plan and Communication Plan Module 03 Course Project – Network Diagram, Procurement Plan and Communication Plan

Module 03 Project Procurement Plan [Insert Name] Network Administration Capstone Table of Contents Introduction 1 Procurement Management Approach 2 Procurement Definition 2 Type of Contract to be Used 2 Procurement Risks 2 Procurement Risk Management 2 Cost Determination 2 Standardized Procurement Documentation 2 Procurement Constraints 2 Contract Approval Process 2

Module 03 Course Project – Network Diagram, Procurement Plan and Communication Plan Module 03 Course Project – Network Diagram, Procurement Plan and Communication Plan

Module 03 Project Procurement Plan [Insert Name] Network Administration Capstone Table of Contents Introduction 1 Procurement Management Approach 2 Procurement Definition 2 Type of Contract to be Used 2 Procurement Risks 2 Procurement Risk Management 2 Cost Determination 2 Standardized Procurement Documentation 2 Procurement Constraints 2 Contract Approval Process 2