Week 2 - Penetration Testing Plan
CMGT/400 v7
Threats, Attacks, and Vulnerability Assessment Template
CMGT/400 v7
Page 2 of 7
Threats, Attacks, and Vulnerability Assessment
Michael Bishop
February 4, 2020
CMGT400
Threats, Attacks, and Vulnerability Assessment
Target Stores, Inc.
Target Stores, Inc. is a wide-ranging products retailer with numerous stores spread in all 50 U.S. states and it has employed more than 350,000 individuals. It plays a very significant in improving the economy of the United States of America as well as paying awesome dividend to its investors and in order to achieve the anticipate growth and stay ahead of its competitors, the company has deployed a decisive technology platform so as to improve its mode of operations. Despite the benefits it accrues from the deployed technology, Target Stores was a victim of data breach in the year 2013 and due to the ever-evolving state of attacks, it is still susceptible to numerous emerging threats, attacks, and vulnerabilities (Vijayan, 2014).
Assessment Scope
The tangible assets in the company’s information system platform include hardware, software, telecommunication components, data and databases, and human resource and procedures. Additionally, there are other assets such cloud computing environments, mobile-related information systems, virtual resources, and integrated third-party systems.
Hardware are the physical technology components that support information processing and they include computers, printers, mobile devices, keyboards, external disk drives, and routers. In addition, servers, cameras, biometric systems, storage subsystems, networking cable, and dedicated network firewalls are notable hardware components. On the other hand, software components includes system programs such as operating system and application programs such as banking system, point of sale system, enterprise resource planning programs, and e-commerce applications.
Data are the day-to-day business operation records while databases or data warehouses are components where data is recorded and stored or where it can be retrieved in order to proceed with the outlining of tangible assets, communication components involve transmission assets such as network cables, wireless network components, antennas, routers, aggregators, repeaters, load balancers, and local area network (LAN) or wide area network (WAN) aspects. On the other hand, human resource assets includes the users who operate or access the company’s information systems while the procedures involve all processes and policies created and applied in order to perform actions.
It is also imperative to consider cloud computing environments, mobile-related information systems, virtual resources, and integrated third-party systems as other important assets of the company’s information system and they include cloud provider data infrastructure and services such as infrastructure-as-a-service (IaaS) and software-as-a-service (SaaS) platforms as well as virtual enterprise resource planning applications, business intelligence and analytical applications, office productivity suites and many others (Vijayan, 2014).
Most of these tangible assets will be assessed in order to evaluate the level of vulnerability as well as to identify the threats and attacks posed to the organization in addition to examining the existing countermeasures. However, internet service providers, cloud service providers, virtual resources, and integrated third-party systems will not be assessed as it will require direct authorization from their leaders and which may cause privacy issues for other companies that they provide services to.
System Model
Existing Countermeasures
Preliminary survey and research indicate that the existing countermeasures include advanced monitoring and log in security systems, installed application whitelisting POS systems and point of sale (POS) management tools, improved firewall rules and policies, robust user account and identity management systems, use of two-factor authentication and password vaults, and employee security training programs as well as proper network segmentation. The company has also regulated point of interactions between two different units that are within the information system structure such as firewalls to monitor inbound and outbound traffic.
In addition, a risk management plan and vulnerability assessment are also utilized frequently with the core aspects that are evaluated being tasks or workflows, people, technology, and the entire structure. This supports to identify emerging vulnerabilities and threats as well as to implement appropriate security solutions such as patches and updates. Finally, the company sought to limit and control vendor access to various resources in addition to implementing comprehensive account re-configuration frameworks in order to deactivate former personnel and contractors’ accounts (Post & Kagan, 2017).
Threat Agents and Possible Attacks
In this organization, the major threat agents includes insider/employee threat, IP scan and reconnaissance, malicious programs, web browsing, unprotected shares, mass emails, Simple Network Management Protocol (SNMP), forces of nature, acts of human error, technology failure, and deviation in service from providers as well as obsolete technologies. The possible attacks include Distributed Denial of Service (DDoS), data theft, the man-in-the-middle attacks, spoofing, social engineering attacks, and side-channel attacks as well as buffer overflow and brute force attacks (Post & Kagan, 2017).
Exploitable Vulnerabilities
The exploitable vulnerabilities in this case include service provider failures, deviation in quality of service, inexperienced users, default settings, unprotected sharing, unprotected endpoints, social networking applications, and inappropriate application downloads and web browsing behavior. Other vulnerabilities that can be exploited include vendor-portal access points, access to physical facilities, and unpatched systems (Pfleeger & Caputo, 2016).
Threat History/Business Impact
|
Threat History Events |
Duration |
Business Impact |
Threat Resolution |
|
Fire Eye malware detection system illegally reconfigured |
1 year |
Successful injection of malware |
Improved administrative controls and policies |
|
Malware installed |
18 months |
Theft of information through U.S servers |
Intrusion detection/prevention systems |
|
POS terminal attack |
8 months |
Data thefts and financial system sabotage |
Chip and PIN security approach |
|
Quality of Service attacks |
10 months |
Restricted access to financial systems ordered by managers |
Deployment of comprehensive network traffic security controls and network/system segmentation |
Risks and Contingencies Matrix
|
Risk |
Probability |
Priority |
Owner |
Countermeasures/Contingencies/Mitigation Approach |
|
Limited user awareness |
Likely |
Medium |
Company |
Regular educational and training programs |
|
Emerging threats |
High likely |
High |
Company |
Vulnerability scanning and external audits |
|
Inappropriate browsing |
High likely |
Medium |
Users |
Ethical-based and behavior policies, monitoring systems |
|
Vendor failure |
Minimal |
Medium |
Service provider |
Service-Level Agreements |
Vijayan, J. (2014). Target attack shows danger of remotely accessible HVAC systems. Computerworld, Feb 7 2014. Retrieved February 2015 from
http://www.computerworld.com/article/2487452/cybercrime-hacking/target-attackshows-danger-of-remotely-accessible-hvac-systems.html
Post, G. & Kagan, A. (2017). Evaluating information security tradeoffs: Restricting access can interfere with user tasks. Computers & Security, 26, 229-237.
Pfleeger, S. & Caputo, D. (2016). Leveraging behavioral science to mitigate cyber security. Computers & Security, 31, 597-611
Copyright© 2018 by University of Phoenix. All rights reserved.
Copyright© 2018 by University of Phoenix. All rights reserved.