Evaluative Report: Systems critique and solutions proposal
Evaluative Report: Systems critique and solutions proposal
Overview
In this assessment, you will write an evaluative report for the fictional organisation Manawa Architecture Limited that identifies information security vulnerabilities, strategies solutions, and proposes a policy for responding to incidents.
This assessment has oftwo tasks:
Task 1.Carry outvulnerability scanning on core areas of the business andinclude your findings in the report,including critique of common vulnerabilities and realistic secure solutions.
Task 2:Develop a Critical Incident Response Policy and Plan that will enable Manawa Architecture Limited to respond to and manage incidents that may arise.
Scenario
Manawa Architecture Limited is a renowned architecture company offering services throughout New Zealand. The company has recently completed some organisational restructuring and a new Board of Directors has been appointed. The new management team has a strong interest in Information Security and is keen to improve organisational security and compliance measures at Manawa Architecture Limited to provide a secure and effective service to all their clients throughout the country.
Manawa Architecture Limited employs approximately 160 employees in three cities across the country. The main office is in Wellington, which houses 90 employees. The Auckland and Palmerston North offices have 30-40 employees respectively. Each of the offices is tied to its Tier-1 Data Centre in Wellington.
You have recently been employed as their Information Security Team Lead.
Check out theCase Studybelow to get a feel for their infrastructure setup and known issues. This will give you some context before you start working on the tasks below.
Manawa Architecture Ltd Case Study-1. (Below is the Case Study)
Infrastructure
Manawas IT infrastructure looks as follows:
The offices and data centre have high-tech physical security in place.
The main data types used or stored at Manawa include architecture blueprints, diagrams, specifications, project management files, client data including financial records and contact details, and company data including personal and financial information.
Most staff use Microsoft servers, PCs, and laptops (for client visits) with a small number of employees using Mac computers.
Manawa uses Active Directory and has a web server for their internet website.
They have three servers for storing their architecture applications as well as a training server, three Microsoft SQL database servers, and one redundant Microsoft Exchange server for email.
File sharing is done via their own internal cloud architecture using a combination of legacy SharePoint and shared folders.
There are 12 virtualised Windows Server 2016 servers in the main office on four physical server blades.
System updates and patches are pushed from Wellington using Windows Server Update Services (WSUS). Most servers and clients get Microsoft updates monthly, but some are missed. While the architecture software gets updated regularly, many of their non-critical third-party products (for example, Adobe PDF, Java, and web browsers) are not kept up to date.
Palmerston North and Auckland each have their own virtualised server for storing files, printing, and running local applications.
Each office has its a decentralized wireless network connected to the production network. Default SSID is used with a common password of Manawa01.
Laptops and PCs run Windows 10.
Manawa outsources their email spam filter to a separate third-party company.
Each network location sits behind a gateway router and firewall (Cisco ASA 5525).
Trend Micro Antivirus is used but its updates do not always reach employees who work remotely.
For those working remotely, DUO multi factor authentication is used to gain access to Manawas corporate systems via a company VPN (Cisco AnyConnect v4.6.). Once connected through the VPN, employees typically RDP to the Windows desktop /server to access their applications and files.
Remote employees have local administrator permissions. Quite often, they store files on their local PCs. Some back up their data using their own USB drives.
The companys accounting team is spread across the different locations so they can provide local support for clients. They use Xero.
A password policy is in place requiring at least eight characters including one number. Employees need to change their passwords at least once every 120 days.
The Chief Information Officer has a full-time staff of 7 employees, one of which does security duties part time. There is at least one IT staff member at each location.
Known Issues:
There are a number of known issues with Manawas current environment.
A year ago, several laptops and some office equipment were stolen from the Palmerston North office.
Two employees in the Wellington office (an HR manager and an architect) were victims of Crypto Locker ransomware.
Vulnerability scanning is conducted every two months by an outsourced company. Only high-risk items are shared with the Chief Information Officer.
Its up to the data owner whether or not to secure their data files or folders. Many do not secure their files because other employees often need to work with those files. There have been rumours for some time that customer data and intellectual property have been lost.
Two employees recently left the company and went to Manawas biggest competitor, taking one of their larger accounts with them.
Vendors have physical and digital access to the sites and computers without requiring authorization or supervision.
On-site staff at each office provides IT support in a part-time capacity in addition to their other responsibilities.
When password resets are done, a generic password of ActiveUser01 is issued.
Manawas IT policies were written in 2015. There have been attempts to update them, but other projects have taken priority.
Each new employee is required to sign an Acceptable User Agreement upon hire. They are also required to complete a 30-minute security awareness online module. There is no requirement for employees to re-sign the agreement or receive other security training.
During the last audit of system accounts in 2019, it was discovered that 20 prior employees still had access to internal networks and applications.
The outsourced company who does vulnerability scanning has a 24x7 network and security operation centre to monitor and report on anomalies and potential threats or vulnerabilities. Since 2018, only high-risk alerts get emailed to the Chief Information Officer. Theres a project to update the alert rules, but its rumoured this is on hold.
The firms incident response plan was written in 2013 and updated in 2016. It contains contact information for now-terminated employees. There is no clear response, recovery tests or training. The recovery plan is failover to one of the other sites.
Instructions
The context:
Your manager at Manawa Architecture Limited has tasked you (the Information Security Team Lead) to tighten up certain practices at Manawa Architecture Limited. She wants you to draft an evaluative report that analyses the organisation's current vulnerabilities and develops a strategy for responding to any incidents that might occur.
Include the following two tasks in your report:
Task 1: Vulnerability Scan Report (Most Important as its carry 40 points)
Using your own computer or virtual environment, carry outtwovulnerability scans from the list below.
Cloud vulnerabilities (public or private)
Host vulnerabilities
Network vulnerabilities
Database vulnerabilities
In your Task 1 Report:
Identify which vulnerability scanning tools you chose, or would choose for each area, and rationalise your decision/s. Please choose open-source free tools.
Analyse your findings from the two scans you ran, and identify:
How these risks can be addressed
What level of attention does each risk need, e.g. immediate attention (High Risk), moderate attention (Medium Risk), and/or low attention (Low Risk), and why.
For the remaining two areas that you did not do a vulnerability scan for, critique common vulnerabilities to look out for, the potential impact these could have if not addressed and offer secure solutions.
Criteria Ratings
Task 1: Vulnerability Scan Report - Tools 10to >8.0pts
Identifies and applies appropriate open-source vulnerability tools with thorough rationale as to why they were chosen
Task 1: Vulnerability Scan Report - Findings and Critique 30to >24.0pts
In-depth and critical analysis of the findings of the two scans informs an insightful critique of common vulnerabilities, their system level classification, and the proposal of realistic, secure solutions.
Task 2: Critical Incident Response Policy and Plan (Most Important as its carry 60 points)
Develop a combined Critical Incident Response policy and plan that will enable Manawa Architecture Limited to respond to and manage incidents that may arise in a timely manner, allowing the business to continue as normal.
Your document should include the following sections:
Purpose
Audience
Terms and Definitions
Scope
Roles and Responsibilities
Incident Response Policy
Threat Classification
Process Overview (including preparation, detection and analysis, containment, eradication, and recovery)
Incident Response Procedures (for each of the above process steps)
Post Incident Activities (including communications, breach notifications, reporting, record keeping, follow ups)
Criteria Ratings
Task 2: Critical Incident Response Policy & Plan- Introduction 10to >8.0pts
Provides a strong purpose and scope, clarifies intended audience, sets out well-defined roles and responsibilities where applicable, provides succinct well worded information to ensure the reader understands the context of the policy/procedure in terms of the wider organisation.
Task 2: Critical Incident Response Policy & Plan - Core Information 40to >32.0pts
Critiques the organisational computing environment to capture and describe the policy, processes, and procedures in sophisticated detail, showing clear and logical thinking.
Task 2: Layout, Quality and Style 10to >8.0pts
Demonstrates a sophisticated writing style through clever use of sentence structure and word choice. Layout is logical. Uses Plain English to allow for easy understanding. Overall document is error-free, and includes correct grammar, spelling, and acronym use.
