CYB 250 Module Five Short Response Guidelines and Rubric

Overview

Security analysts play an important role working alongside the computer incident response team (CIRT). The analyst will be the individual who either fixes the issues or allocates resources to

fix the issues iden�fied by the CIRT. Using resources to facilitate the work becomes essen�al to sustain the health of an organiza�on. Applying the Center for Internet Security (CIS) cri�cal

controls to company infrastructure is normal prac�ce for an analyst. The controls are meant to guide the organiza�on toward compliance. They are not meant to be used in isola�on.

Comparing an organiza�on’s technical concerns to the CIS cri�cal controls provides a means of developing solu�ons to remediate issues. Once the issues are iden�fied and remediated, the

next step is to determine how to properly report those issues to different stakeholders.

Prompt

A�er reviewing Breach Analysis Simula�on Scenario Two, address the cri�cal elements below:

I. Repor�ng: Select an audience for repor�ng (sales team, senior management, or other stakeholders).

A. Explain how you report technical concerns to non-technical people in your selected audience. Keep in mind that most managerial roles are non-technical in nature; managers

need informa�on presented to them in a format they can easily understand and use.

II. Subcontrols: Refer to the CIS Controls worksheet used in Breach Analysis Simula�on Scenario Two and recommend two addi�onal subcontrols that could be modified by policy,

implementa�on, automa�on, or repor�ng to enhance security for the organiza�on.

A. Subcontrol One: Describe the modifica�on of the subcontrol and jus�fy your recommenda�on.

B. Subcontrol Two: Describe the modifica�on of the subcontrol and jus�fy your recommenda�on.

III. Two-Factor Authen�ca�on: A proposed solu�on for the breach issue is to use RSA key fobs as a means of two-factor authen�ca�on.

A. Discuss the merits of using RSA encryp�on and the implementa�on of two-factor authen�ca�on.

B. Discuss how different forms of encryp�on may be used in VPN so�ware.

What to Submit

Your submission should be 1 to 2 pages in length. Use double spacing, 12-point Times New Roman font, and one-inch margins. All sources must be cited using APA format. Use a file name

that includes the course code, the assignment �tle, and your name—for example, CYB_123_Assignment_Firstname_Lastname.docx.



11/25/24, 12:36 PM Assignment Information

https://learn.snhu.edu/d2l/le/content/1748997/viewContent/36623164/View 1/2

Module Five Short Response Rubric

Criteria Exemplary (100%) Proficient (85%) Needs Improvement (55%) Not Evident (0%) Value

Repor�ng: Report Technical

Concerns

Meets “Proficient” criteria and

addresses cri�cal element in an

excep�onally clear, insigh�ul,

sophis�cated, or crea�ve

manner

Explains how to report

technical concerns to

nontechnical people in the

selected audience

Addresses “Proficient” criteria,

but there are gaps in clarity,

logic, or detail

Does not address cri�cal

element, or response is

irrelevant

30

Subcontrols: Subcontrol One Meets “Proficient” criteria and

addresses cri�cal element in an

excep�onally clear, insigh�ul,

sophis�cated, or crea�ve

manner

Describes the modifica�on of

the subcontrol and jus�fies the

recommenda�on

Addresses “Proficient” criteria,

but there are gaps in clarity,

logic, or detail

Does not address cri�cal

element, or response is

irrelevant

15

Subcontrols: Subcontrol Two Meets “Proficient” criteria and

addresses cri�cal element in an

excep�onally clear, insigh�ul,

sophis�cated, or crea�ve

manner

Describes the modifica�on of

the subcontrol and jus�fies the

recommenda�on

Addresses “Proficient” criteria,

but there are gaps in clarity,

logic, or detail

Does not address cri�cal

element, or response is

irrelevant

15

Two-Factor Authen�ca�on:

RSA Encryp�on

Meets “Proficient” criteria and

addresses cri�cal element in an

excep�onally clear, insigh�ul,

sophis�cated, or crea�ve

manner

Discusses the merits of using

RSA encryp�on and the

implementa�on of two-factor

authen�ca�on

Addresses “Proficient” criteria,

but there are gaps in clarity,

logic, or detail

Does not address cri�cal

element, or response is

irrelevant

15

Two-factor Authen�ca�on:

VPN So�ware

Meets “Proficient” criteria and

addresses cri�cal element in an

excep�onally clear, insigh�ul,

sophis�cated, or crea�ve

manner

Discusses how different forms

of encryp�on may be used in

VPN so�ware

Addresses “Proficient” criteria,

but there are gaps in clarity,

logic, or detail

Does not address cri�cal

element, or response is

irrelevant

15

Ar�cula�on of Response Submission is free of errors

related to cita�ons, grammar,

spelling, and organiza�on and

is presented in a professional

and easy-to-read format

Submission has no major errors

related to cita�ons, grammar,

spelling, or organiza�on

Submission has some errors

related to cita�ons, grammar,

spelling, or organiza�on that

nega�vely impact readability

and ar�cula�on of main ideas

Submission has cri�cal errors

related to cita�ons, grammar,

spelling, or organiza�on that

prevent understanding of ideas

10

Total: 100%

11/25/24, 12:36 PM Assignment Information

https://learn.snhu.edu/d2l/le/content/1748997/viewContent/36623164/View 2/2

Published by Articulate® Storyline www.articulate.com

CYB 250 Module Five Short Response Text Version Breach Analysis Simulation

Breach Analysis Simulation Scenario Two Breach Analysis Simulation Introduction

Read through the following scenario. You will then be asked to make choices based on your experience as a security analyst. While there is a best path through the simulation, many of the other options are viable. You are encouraged to explore all of the options to enhance your knowledge and to prepare you for future breaches. The purpose of this simulation is to develop your systems thinking mindset and mature your cyber defense strategies.

Published by Articulate® Storyline www.articulate.com

Breach Analysis Simulation: Scenario Two

You are a security analyst working for an organization that sells mass storage solutions to companies. Several of your clients are law firms. During a routine audit, a breach was identified. This calls into question the safeguards that your company has in place to protect data integrity. Following up on the findings from the computer incident response team (CIRT), your manager has tasked you with reviewing the current controls. Subset of Current Controls

Review this subset of current controls in the spreadsheet. Prioritize them in the order you would address them for this breach by dragging and dropping each control into the right column. (For more information on the controls, review the CIS Controls document.)

• CIS Control 11: Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches

• CIS Control 12: Boundary Defense

• CIS Control 13: Data Protection

• CIS Control 14: Controlled Access Based on the Need to Know

• CIS Control 16: Account Monitoring and Control

Published by Articulate® Storyline www.articulate.com

1. Challenge One 1.1 Challenge One: Current Controls Infrastructure Analysis

Based on your input and that of other stakeholders, the highest priority has been deemed to be CIS Control 13: Data Protection; specifically, the focus is subcontrol 13.3 (Monitor and Block Unauthorized Network Traffic). The organization has the automatic tools installed and a policy has been created for the control, but the control is not configured. What is the next step necessary to assure compliance to this control? Below are the possible answers:

• Automate this control

• Report on this control

• Implement the control 1.2 Automate this control

Incorrect. If the policy is not first implemented, it cannot be automated. Try selecting a different response.

Published by Articulate® Storyline www.articulate.com

1.3 Report on this control

Incorrect. If the policy is not first implemented, it cannot be reported on. Try selecting a different response. 1.4 Implement the control

Correct! For a control to actually work, it needs to be implemented. This should be the first step after the policy is defined.

Published by Articulate® Storyline www.articulate.com

1.5 Challenge One Review

Nice work! The goal for any system is to be fully automated. It is important to make sure that all policies are created, implemented, and automated if possible. Some controls cannot be fully automated and may need to have some human interaction. During CIRT’s investigation of the breach, they determined that its root cause was network related. Your manager is now assigning you the analysis of network policies related to the breach. 2. Challenge Two 2.1 Challenge Two: Investigating the Network

CIRT identified a port that was mistakenly left open; a client machine was communicating with another client machine on an isolated network. Further investigation identified that this port was left open after configuration files had been moved three weeks prior. This left the network open to attack. The current policy for subcontrol 12.2 (Scan for Unauthorized Connections Across Trusted Network Boundaries), specifies that scans should be scheduled to run monthly.

Published by Articulate® Storyline www.articulate.com

How would you update the policy to prevent this type of vulnerability in the future? Below are the possible answers:

• Scans should be run as often as time allows

• Scans should be run on a daily basis

• Scans should be run based on the current policy and after any configuration changes 2.2 Scans should be run as often as time allows

Incorrect! It is a good strategy to always run scans on a routine basis. Running them as often as time allows could either use up more resources than needed or, worse, could result in scans being put off for a long period of time, leaving the network open to attacks. Try selecting a different response. 2.3 Scans should be run on a daily basis

Good choice! However, running scans on a daily basis could significantly tax resources. Updating the policy in this manner may keep the network more secure, but at what cost? This update could require changes to the company infrastructure.

Published by Articulate® Storyline www.articulate.com

If we updated the policy to require that scanning be completed on a daily basis, what is the biggest issue with the availability tenet of the CIA triad? Below are the possible answers:

• The resources requirement is not met.

• The resources are not properly allocated.

• Daily scanning could tax resources beyond their capabilities. 2.3.1 The resources requirement is not met.

Incorrect! If you are trying to implement a task where there are not proper resources available to perform the action, the task cannot be completed. Evaluating and planning resources is an important part of project planning. Try selecting a different response. 2.3.2 The resources are not properly allocated.

Incorrect! The resources are available but they are not allocated to the project or task. Allocating the proper resources can be done through dependency charts or project timeline planning. Try selecting a different response.

Published by Articulate® Storyline www.articulate.com

2.3.3 Daily scanning could tax resources beyond their capabilities.

Correct! It is possible to overuse the resources allocated for a job. Although there may be IT infrastructure time for the scans to run every day, the human part of the resources may not have the time. It is important to balance the amount of human resources and IT resources a project is going to need to be efficient. A proper balance allows all parts of the system to run properly. Now that you have explored the impact on resources, return to Challenge Two and try selecting a different response. 2.4 Scans should be run based on the current policy and after any configuration changes

Correct! Running the scans on a routine basis is essential for the company to stay secure. The interval in the current policy has been sufficient; however, the policy should always be evaluated for optimal efficiency. If this evaluation deems monthly scans are adequate, the policy should be updated to always run scans after any configuration changes, which makes sure that no other part of the system is vulnerable or no important resources are left unprotected.

Published by Articulate® Storyline www.articulate.com

3. Challenge Three 3.1 Challenge Three: Email from the Manager

Manager: “The law firms that we store information for are very concerned with the integrity of their data on our system. We must guarantee that the information that resides on our system has not been modified in any way after they uploaded files. We can look at several options to verify that our security is still the best it can be. I propose the following areas for further investigation: human components, hardware components, encryption and security policies.” What area of security do you think is the most important, given the nature of the breach? Below are the possible answers:

• Encryption and security policies

• Hardware components

• Human components 3.2 Encryption and security policies

Correct! There may be certain regulations that your company is held to because of the type of information that it is storing. There could be a need for Health Insurance Portability and

Published by Articulate® Storyline www.articulate.com

Accountability Act (HIPAA) compliance and other forms of privacy. Looking at CIS subcontrols 16.3 (Require Multi-Factor Authentication), 16.4 (Encrypt or Hash All Authentication Credentials), and 16.7 (Establish Process for Revoking Access), we get a strong recommendation that our system needs to have two-factor authentication, needs to use hashing for credentials, and needs to have a process in place for removing employees’ access when they leave the law firms. There are other considerations, but these would need to be our priorities to help ensure the security of data integrity and availability. This is a case where the other options are also viable. You are encouraged to explore them to enhance your knowledge and to prepare you for future breaches. 3.3 Hardware components

Correct! Having the most up-to-date system and controls in place will facilitate strong defense from outside influences. CIS critical subcontrol 11.5 (Manage Network Devices Using Multi- Factor Authentication and Encrypted Sessions) details that all components of the system must use two-factor authentication. This ensures confidentiality of the information within the system and enhances the security by restricting unwanted access to the system. Try selecting a different response. This is a case where the other options are also viable. You are encouraged to explore them to enhance your knowledge and to prepare you for future breaches.

Published by Articulate® Storyline www.articulate.com

3.4 Human components

Correct! The human factor of the system can always be the weakest link. Based on CIS critical subcontrol 14.8 (Encrypt Sensitive Information at Rest), we must encrypt all sensitive data at rest and use tools that require two-factor authentication. Having this policy in place and fully implemented saved the situation because even though the attackers were able to gain access to the network, there was no way for them to access the law firms’ sensitive information stored on our network. Try selecting a different response. This is a case where the other options are also viable. You are encouraged to explore them to enhance your knowledge and to prepare you for future breaches. 4. Challenge Four 4.1 Challenge Four: After the Breach

Since the breach, the IT security team has been proactively identifying other potential vulnerabilities to prevent future breaches. This team has identified gaps in the security of your system. Which of the following solutions would you address first, prioritizing time and budget? Below are the possible answers:

Published by Articulate® Storyline www.articulate.com

• Evaluate virtual private network (VPN) technologies

• Evaluate email encryption

• Evaluate file integrity 4.2 Evaluate virtual private network (VPN) technologies

Good thought! While not the most ideal solution if you prioritize timeliness, this represents a longer-term solution. An encrypted tunnel to the data may require hardware upgrades and protocol changes. Try selecting a different response. 4.3 Evaluate email encryption

Good thought! However, this solution requires a dedicated server, and software upgrades or migration to a more robust platform. This is the least preferable option when you consider timeliness and scope because it impacts so many systems; however, it does have far-reaching implications for the organization’s security posture. Try selecting a different response.

Published by Articulate® Storyline www.articulate.com

4.4 Evaluate file integrity

Correct! This is the ideal situation. This solution satisfies the stakeholders with a business- relevant solution that is low-cost and quick to implement. Breach Analysis Simulation Scenario Two Summary

After debriefing with CIRT, the director of IT, and the IT security team, we need to discuss the reporting needs. This information needs to be shared with various audiences. You need to frame your report to each audience carefully because different audiences have different needs and technical knowledge. For example, senior management (CEO/CFO/CIO) needs you to provide them with a means to make informed decisions to address the identified gaps in security policies. In your activity this week, you will continue this scenario and take the next steps in reporting and recommending solutions.