Week 2 - Penetration Testing Plan

profilebishopm31
Week1-ThreatsAttacksandVulnerabilityAssessment_Michael_Bishop.docx

CMGT/400 v7

Threats, Attacks, and Vulnerability Assessment Template

CMGT/400 v7

Page 2 of 7

Threats, Attacks, and Vulnerability Assessment

Michael Bishop

February 4, 2020

CMGT400

Threats, Attacks, and Vulnerability Assessment

Target Stores, Inc.

Target Stores, Inc. is a wide-ranging products retailer with numerous stores spread in all 50 U.S. states and it has employed more than 350,000 individuals. It plays a very significant in improving the economy of the United States of America as well as paying awesome dividend to its investors and in order to achieve the anticipate growth and stay ahead of its competitors, the company has deployed a decisive technology platform so as to improve its mode of operations. Despite the benefits it accrues from the deployed technology, Target Stores was a victim of data breach in the year 2013 and due to the ever-evolving state of attacks, it is still susceptible to numerous emerging threats, attacks, and vulnerabilities (Vijayan, 2014).

Assessment Scope

The tangible assets in the company’s information system platform include hardware, software, telecommunication components, data and databases, and human resource and procedures. Additionally, there are other assets such cloud computing environments, mobile-related information systems, virtual resources, and integrated third-party systems.

Hardware are the physical technology components that support information processing and they include computers, printers, mobile devices, keyboards, external disk drives, and routers. In addition, servers, cameras, biometric systems, storage subsystems, networking cable, and dedicated network firewalls are notable hardware components. On the other hand, software components includes system programs such as operating system and application programs such as banking system, point of sale system, enterprise resource planning programs, and e-commerce applications.

Data are the day-to-day business operation records while databases or data warehouses are components where data is recorded and stored or where it can be retrieved in order to proceed with the outlining of tangible assets, communication components involve transmission assets such as network cables, wireless network components, antennas, routers, aggregators, repeaters, load balancers, and local area network (LAN) or wide area network (WAN) aspects. On the other hand, human resource assets includes the users who operate or access the company’s information systems while the procedures involve all processes and policies created and applied in order to perform actions.

It is also imperative to consider cloud computing environments, mobile-related information systems, virtual resources, and integrated third-party systems as other important assets of the company’s information system and they include cloud provider data infrastructure and services such as infrastructure-as-a-service (IaaS) and software-as-a-service (SaaS) platforms as well as virtual enterprise resource planning applications, business intelligence and analytical applications, office productivity suites and many others (Vijayan, 2014).

Most of these tangible assets will be assessed in order to evaluate the level of vulnerability as well as to identify the threats and attacks posed to the organization in addition to examining the existing countermeasures. However, internet service providers, cloud service providers, virtual resources, and integrated third-party systems will not be assessed as it will require direct authorization from their leaders and which may cause privacy issues for other companies that they provide services to.

System Model

Existing Countermeasures

Preliminary survey and research indicate that the existing countermeasures include advanced monitoring and log in security systems, installed application whitelisting POS systems and point of sale (POS) management tools, improved firewall rules and policies, robust user account and identity management systems, use of two-factor authentication and password vaults, and employee security training programs as well as proper network segmentation. The company has also regulated point of interactions between two different units that are within the information system structure such as firewalls to monitor inbound and outbound traffic.

In addition, a risk management plan and vulnerability assessment are also utilized frequently with the core aspects that are evaluated being tasks or workflows, people, technology, and the entire structure. This supports to identify emerging vulnerabilities and threats as well as to implement appropriate security solutions such as patches and updates. Finally, the company sought to limit and control vendor access to various resources in addition to implementing comprehensive account re-configuration frameworks in order to deactivate former personnel and contractors’ accounts (Post & Kagan, 2017).

Threat Agents and Possible Attacks

In this organization, the major threat agents includes insider/employee threat, IP scan and reconnaissance, malicious programs, web browsing, unprotected shares, mass emails, Simple Network Management Protocol (SNMP), forces of nature, acts of human error, technology failure, and deviation in service from providers as well as obsolete technologies. The possible attacks include Distributed Denial of Service (DDoS), data theft, the man-in-the-middle attacks, spoofing, social engineering attacks, and side-channel attacks as well as buffer overflow and brute force attacks (Post & Kagan, 2017).

Exploitable Vulnerabilities

The exploitable vulnerabilities in this case include service provider failures, deviation in quality of service, inexperienced users, default settings, unprotected sharing, unprotected endpoints, social networking applications, and inappropriate application downloads and web browsing behavior. Other vulnerabilities that can be exploited include vendor-portal access points, access to physical facilities, and unpatched systems (Pfleeger & Caputo, 2016).

Threat History/Business Impact

Threat History Events

Duration

Business Impact

Threat Resolution

Fire Eye malware detection system illegally reconfigured

1 year

Successful injection of malware

Improved administrative controls and policies

Malware installed

18 months

Theft of information through U.S servers

Intrusion detection/prevention systems

POS terminal attack

8 months

Data thefts and financial system sabotage

Chip and PIN security approach

Quality of Service attacks

10 months

Restricted access to financial systems ordered by managers

Deployment of comprehensive network traffic security controls and network/system segmentation

Risks and Contingencies Matrix

Risk

Probability

Priority

Owner

Countermeasures/Contingencies/Mitigation Approach

Limited user awareness

Likely

Medium

Company

Regular educational and training programs

Emerging threats

High likely

High

Company

Vulnerability scanning and external audits

Inappropriate browsing

High likely

Medium

Users

Ethical-based and behavior policies, monitoring systems

Vendor failure

Minimal

Medium

Service provider

Service-Level Agreements

References

Vijayan, J. (2014). Target attack shows danger of remotely accessible HVAC systems. Computerworld, Feb 7 2014. Retrieved February 2015 from

http://www.computerworld.com/article/2487452/cybercrime-hacking/target-attackshows-danger-of-remotely-accessible-hvac-systems.html

Post, G. & Kagan, A. (2017). Evaluating information security tradeoffs: Restricting access can interfere with user tasks. Computers & Security, 26, 229-237.

Pfleeger, S. & Caputo, D. (2016). Leveraging behavioral science to mitigate cyber security. Computers & Security, 31, 597-611

Copyright© 2018 by University of Phoenix. All rights reserved.

Copyright© 2018 by University of Phoenix. All rights reserved.