Presentation to Management

Running Head: REPORT 1

REPORT 7

VM Scanner Background Report

University of Maryland Global Campus

22 November 2021

Introduction

Vulnerability management programs assume a critical role in Mercury’s overall information security programs by limiting the attack surface. A good number of organizations have been a victim of a cyber-attack brought about by different kinds of malware. As a result, a vulnerability assessment was carried out by an external firm. The main objective of this report is to give a clear understanding on how to manage vulnerabilities which tools to use as well as reviewing Mercury USA business cases.

To start with, this report will recommend a Vulnerability Management (VM) process that is tailor made for the organization. Secondly, it will address the nature of the reevaluated flaw scan results. Lastly, it will recommend several techniques that Mercury USA might use to track down itself if the recommended proposals are not upheld. Mercury USA administration have serious security concerns and it’s our duty to provide solution.

Part 1: Nessus Vulnerability Report Analysis

To install an effective VM process, organization must first review present legislations as well as rules that oversee such processes. A current structure that is relevant to this organization is the PCI-DSS. With their latest standard this body is able to enhance cardholder information security. Other than complying with PCI-DSS, organization will be able to enhance their techniques. This normally start with properly defining data based on its sensitivity to ensure its security. Information can either be categorized as personal, public secrete and top secret.

We should as well consider the value of our innovative organization assets. This is gauged as a rule via personal as well as measureable threats assessments. In the wake of acting within and out threats assessments, some of the assets that are seen as basic can be a target based on their impact on organization operations. To properly assess vulnerabilities within the organization, regular vulnerability checks must be carried out. To conform to different regulatory bodies, organization must conduct an audit once a year. Any audit carried out must be performed using accreditations. The fact that this might be tedious than a no-credentialed audit, credentialed scans tend to be more comprehensive and create better outcomes.

The fact that digital threats are dynamic and changes with time, it is recommendable to conduct this check on a monthly basis. Subsequent to assessing different versions of network scanners, Nessus has a grounded history of being one of the most incredible scanning tool that creates definite scan results. The fact that Nessus Professional doesn’t come for free, its cost is justifiable considering the expected loss from a digital attack.

Nessus results and proposals should be adhered to as well as recorded in reports. These reports will be used as referenced to determine which vulnerabilities possess the main threat to the organization. Detailed reports can be generated to give individuals threat outcomes from the IT department, while special reports can be generated to provide organization management with the vital information as well as a number of recommendations they can refer to when making critical decisions.

Part 2: The Business Case

Considering the steady and always developing threats presented by digital attackers, we have a rough picture of what can happen within our organization in an event of an attack. The fact that our organization management are aware of recent security incident that took place in other organizations, we are sure that those organizations will try their best to avoid future attacks. Be that as it may, our organization may not be as lucky. As a result of rapid growth of our organization, it is hard to know which attacks we are protected from. Hackers could potentially access our personal documents and download them. This could comprise bank account details, credit card data as well as employee’s PII.

Once such delicate data is extracted, hackers can easily install ransomware which would encode our documents, forestalling access. Hackers can later ask for a ransom and insist payment to be done on untraceable bitcoin in exchange of a decryption key, which isn’t ensured. The cost of the genuine result could far outperform what the organization could pay, leaving the organization systems locked stopping organization critical operations. Cyber attacks impacts are felt the moment there is loss of income, lost customer’s confidence. On top of that there must be some lawsuits filed against the organization for refusing to properly secure client data, the cost of which in return can make the organization overlay.

This may seems to be a most dire outcome conceivable but in reality, many organization have consistently faced this reality. The average cost of a malware attack three years ago was $1million, a huge amount compared with properly protecting our most sensitive IT resources as well as critical information. The recommended VM process gives a broad approach of identifying basic assets, suitably filtering those assets for flaws using Nessus as well as generating comprehensive reports to help in critical decision making. This makes Nessus our key tool in securing VM process.

Part 3: Nessus Purchase Recommendation

Subsequent to auditing the output results given by the outsider source was not sufficient. A Linux based assessment tool was used which left many questions unanswered. When utilized appropriately, the tool can give point by point output of current vulnerabilities, even in big business environment (Hoffman, 2020). The fact that OpenVAS is available for free, it lacks a couple of features. This system doesn't have many features and this expose the system to all sorts of threats. On top of that, it doesn’t support all operating nor does it provide policy management ideas.

This report only scanned one host IP address for 3 minutes and only spotted 4 weaknesses. An effective tool can run up to 1 hour or more based on network infrastructure efficiency and will normally find more vulnerabilities. In terms of vulnerability scan outcomes, it’s evident that only small number of them are spotted. This report should not be given to the top management as it does not depict the true nature of the organization security status. It is therefore highly advisable to buy Nessus application and allow organization team to carry out a proper vulnerability check. After the aftereffects of the sweep have been ordered and explored, an appropriate report can be generated and presented to the organization management.

Conclusion

To enhance security within the organization, VM installation should be a priority. There are many other attacks that can be carried out by digital criminals other than the one the case study. By following the stated guidelines as well as coming up with our own policies we will be able to conduct average vulnerability check within the organization which will help fix many flaws. Use of certifies scanning tools such as Nessus will enhance our security by instantly identifying potential threats within the organization. By drastically reducing cyber security threats, Mercury USA will end up being the best supplier in transportation services for its current and future clients.

Reference

Hoffman, “OpenVAS vs. Nessus: How Different are the Two?” WisdomPlexus, 20-Jul-

2020. [Online]. Available: https://wisdomplexus.com/blogs/openvas-vs-nessus/.

[Accessed: 11-Nov-2020].

Vaseashta, A., Susmann & Braman, E. (2019). Cyber Security and Resiliency Policy Framework. IOS Press.

New York (State). (2018). Cyber Security Policy: Information security policy. Albany, NY: New York State & Critical Infrastructure Coordination.