8-10 pages

profilejacsny
team_hytema_tr1b_final.doc

Round 1, Part B

Team Members:

Robert Antis

Terry Martin Brown

John Francis Hung Scott

Candy Anna Sigel

Jacqueline Ann Snyder

UMUC

CSEC 670

Turnitin Originality Score ______0%_____

1.0 Hytema Round 1B Report

Hacktivists made good on their threat and successfully attacked Hytema this week. The majority of the damage was the defacement of our company website. The company also experienced a significant amount of downtime. Although our security team took preventive security measures to reduce the risk of this type of attack we were still compromised. As a result, we will remain on high alert and will adjust our security decisions to improve our organization’s security posture.

While the breach didn’t result in a loss in sensitive data it still damaged our reputation and will likely cost us the company future business. Hytema’s clients, especially the federal government, expects us to safeguard sensitive information and an attack like the one that occurred this week very likely damaged their confidence in our ability to do so. It is imperative that we continue to adhere to all the federal mandated security requirements while balancing the need to be a profitable company.

On the positive side, our security team is now working with an established security baseline. With the baseline, we now have the capability to make adjustments and measure the impact of those changes to the key indexes. Our results are reviewed in detail in Section 3.0 of this report.

2.0 Hytema Index Results Review

Our overall goal is to balance the three main themes of the capstone simulation which are cybersecurity, profitability and collaboration. In other words, we want to make sure that are security is strong, we maximize defense services up time and stay profitable. Success in those areas is measured as scores within five different security indexes. For Hytema, the security indexes are National Security Index, Security Index, Profitability, and Downtime.

Our goal is to be in line or better than the range from previous classes that were stated in the week 8 newsletter. The following table summarizes our results against our goals:

KEY INDEX

ACCEPTABLE SCORE RANGE

HYTEMA’S SCORE

PASS/FAIL

Global National Security Index (higher score is better)

110 – 120

100

FAIL

Security Index (higher score is better)

110 – 130

110

PASS

Downtime Index (lower score is better)

80 – 110

120

FAIL

Profitability (higher score is better)

80 – 110

79

FAIL

Using the acceptable score range from previous classes as a pass/fail indicator, our security team only passed in one area – Security. We realize that we must improve our scores in other areas by making adjustments to controls that impact security, productivity, and downtime.

3.0 Hytema’s Analysis of Breach and Strategy for Round 2

Prior to the breach we reviewed our initial security decisions in week Round 1 A and felt that the threat and risks had not changed. Therefore, as a team, we felt that our initial choices were the correct ones and we did not make changes in Round 1B prior to the simulation running. However looking at our index scores we know that there is considerable room for improvement.

To better illustrate our analysis after the defacement of our website, we will review each functional role independently in the following paragraphs. Please note that our security team understands that each area needs to collaborate with each other in order to strengthen our security posture. We separated our responses only because it is better organized for reading.

Chief Information Security Officer (CISO) –The most important controls for this round was the high degree of openness of the attack and the focus on penetration and network vulnerabilities prior to the attack. By being open and honest about what happened we were able to mitigate the damage done to our reputation and helped clients know that they could trust us. Also we focused on training that prepared the company to face the imminent threat. Hytema’s CISO also believes that training and preparation are the most important controls. The fundamental rationale to focus on these areas is to have a strong well-versed, security-minded, employee infrastructure. For the next round the data storage redundancy should be reduced and the review period should be increased from six months to nine months. These changes should help to improve the company's downtime score by reducing the amount of time backing up data and reviewing past performance.  

Security Engineer - Hytema’s Security Engineer suggests increasing the external boundary settings to protect assets from unauthorized access. In addition to protecting the network, this event is being used as an opportunity to acquire further knowledge to study and research the latest hacking techniques used by cyber criminals through the use of a research honeypot. Hytema Security Engineer will also disable the honeypots and continue to offer training in authentication, access and encryption to prevent breaches.

Policy Manager – Hytema Policy Manager favors more restrictive policies with harsh penalties for violations due to the nature defense work, and the sensitivity of the data it processes. The Policy Manager believes that his policies in regard to general access and external access are the most important because firm access controls make it harder for a cybercriminal to get on the network and cause damage. While more restrictive policies are also negatively affecting some other index scores, the Policy Manager believes that the employees shouldn’t be surprised at the level of security in the type of environment and work that they do. The policy manager plans to change one general access policy – the degree of freedom over browsing non-business sites to “free.” The rationale is explained in Section 3.1.

Information Security Engineer – Immediate training was provided to all personnel and ensured that all authorized software and anti-virus were frequently updated. Patch management procedure was also closely monitored. Also, physical security and backup policy were enforced to ensure that employees followed proper protocols.

Database Engineer – Virtualization was used to monitor all traffic closely and network systems because it allows Hytema to use multiple computers at the same time on the same network system.

3.1 Next Round Strategy

In light of our current security posture score, each of the team members, in their respective roles, took a look at their initial decisions and rationale and started to plan for the next round. This section will outline what we thought were the critical controls, what controls we will likely tweak and why.

Our strategy will remain largely the same as in Round 1 which is to lean on having more restrictive controls. However the biggest change will be to hone in on categories that will improve the indexes that we scored low in. It’s likely that we won’t focus a lot on improving our profitability index score in the second round as we are on the cusp of a passing score. However we will definitely look more closely at the categories that impact the Downtime index. For example, we know that downtime will be a challenge as indicated in the Week 7 newsletter which states that “Less restrictive controls (too cold) will encourage cyberattacks and increase downtime, and too restrictive controls (too hot) will encourage lost productivity and increase downtime.” We will review how restrictive our controls our however it’s likely that our team will only make minor adjustments to make them less secure. Alternatively, we can first try to change controls that affect productivity. Using Decision Reference section of the Application Model Reference guide we know that there are several categories where productivity can be impacted. We noticed that usually both the Productivity and Technical Security Index are impacted at the same time. This means we usually have to trade off security for productivity. However there is one category where that isn’t the case: General Access Policies (degree of freedom over browsing non-business sites). According to the guide we may be able be less restrictive and set it as “free” and not take a hit on security. The Hytema Chief Information Security Officer (CISO) also suggests reducing the data storage redundancy and increasing the review period from six months to nine months. These changes should help to improve the company's downtime score. If those decisions do not significantly alter our downtime score we will have to make some hard choices between security and productivity.

In regard to improving our National Security Index score our team looked at all the categories that impact that index. They are Breach Notification and Information Sharing Policies (Infragard) which fall under the CISO and Policy Manager’s functional areas. Curiously, those categories looked like they were optimally selected to give a positive result to the index. However our team understands that decisions are not independent of other indexes and that may be at play as well. The CISO set the policy to “all incidents” and the Policy Manager set Infragard to report every 7 days. It’s possible that the team can improve the index score by choosing a different investigative agency (one that costs the company) to improve the index score however this will be a little trial and error as we assumed selecting FBI/NSA was the optimal choice. In the next round we will select forensic investigators to see if it improves our National Index score.