8-10 pages
Round 2
Team Members:
Robert Antis
Terry Martin Brown
John Francis Hung Scott
Candy Anna Sigel
Jacqueline Ann Snyder
UMUC
CSEC 670
Turnitin Originality Score ______X%_____
1.0 Introduction
In Round 2, Hytema’s security team was made aware of two growing global cybersecurity threats. The first is an advisory from United States Computer Emergency Readiness Team (US-CERT) that identified a dangerous new computer worm called Mentika. US-CERT estimated that Mentika has already infected over a million computers - primarily in the Middle East and Southeast Asia regions. Mentika is difficult to defend against due to its ability to mutate into multiple variants. As a result, simple database patching and signature based detection methods will likely not be sufficient risk mitigation.
The second threat to global cybersecurity are financial indicators suggesting that the US is very likely to experience an economic downturn. The probability that this will occur is high and experts are worried that a downturn within the US could also trigger a global economic downturn. This most likely means that corporations will be less profitable, which could strain their security budgets. As a result, global cybersecurity postures will likely be more vulnerable than normal.
2.0 Decision Goals and Rationale
Hytema’s security team took the Mentika worm warning seriously when Round 2 security changes were considered. After the first round’s successful hacktivist breach, the security team decided to focus on improving the company’s security posture and make decisions that didn’t significantly reduce the security index. The team also decided to maximize spending in Kerberos and key distribution security areas, and take a wait and see approach on the magnitude of the economic downturn. While the team was successful in fending off the worm, the economic downturn further reduced the company’s profitability.
The team considers the round to be a success and still feels that it is natural for a defense contractor to keep more restrictive security policies. We noted in the last report that our employee morale score will always be low because of this. However, it is likely that similar defense contractors would have the similar low scores as an industry. While this comes at the cost of lower profitability, successful breaches will likely cost the company more in the long run.
Individual rationale for this round’s security decisions are below.
Chief Information Security Officer (CISO)
Changes this week:
1. Breach Notification Policy: All Incidents to Critical and significant incidents.
2. Investigative agencies to call in for major security breaches: FBI/NSA to CERT
3. Focus on training area: controls: 15% to 35%
4. Focus on training area: penetration testing: 35% to 15%
5. Degree of IT data storage redundancy: High to Medium
6. Degree of IT network redundancy: High to Medium
7. Levels of power backup redundancy: 3 to 2
8. Number of redundant backup communication links: 3 to 2
9. Policy review frequency in months: from 6 to 9.
Rationale: The CISO decided to make several changes this week to prepare for the possibility of a worm intrusion and economic downturn. The company will only report critical and significant events, as well as report primarily to CERT so that we can provide and receive the latest info and track the new worm. In an effort to save money and reduce the downtime experienced in the last round, the storage, network, and power redundancy settings will be reduced. Also, the policy review frequency will be changed from six months to nine. This should allow employees to focus on their primary jobs and improve productivity rather than preparing for reviews. In regard to security training, the company will shift its focus from penetration testing to increasing employee’s expertise in security controls.
Expected Results: A slight reduction to National Security Index because of the change in the breach notification policy. A reduction of downtime due to the policy review change, and increase in profit due to the reduction of costs in the network, storage and power redundancy areas.
Security Engineer
Changes this week:
1. Kerberos servers spending: $300,000 to $400,000.
2. Key distribution centers spending: $20,500 to $25,000
Rationale: The Security Engineer did not make extensive changes in Round 2. While the economic downturn looms, the security of the network is crucial to the company's long-term survival. The Security Engineer could not see moving any settings in encryption, DNS redundancy, firewalls, IDPS, and RBAC because of this. Instead, the Security Engineer increased the spending on authentication settings collectively. The Security Engineer is aware that the company needs to watch its budget. However, due to the probable events this Round, the Security Engineer decided to increase the Kerberos and key distribution center spending as an extra precaution. Additionally, the honeypot setting was going to be changed to a pure server honeypot, which would save Hytema $20k this week, but the team decided against this action.
The second event of the week, the harbinger of a worm infection, is also significant. Unlike last week, worms have to be programmed to avoid certain targets, such as high interaction honeypots. However, keeping the honeypot as a low interaction system gives Hytema a way to attract the worm (and its variants) to this honeypot and away from the network proper. Additionally, the honeypot can be engineered to be as safe as possible – like making it easier to attack the internal network or aiding in the worm’s propagation – while making it a more preferable target (Portokalidis & Bos, 2007). In concert with the other settings, the Security Engineer believes that this strategy is likely to keep the Mentika worm out of the network.
Expected Results: An increase in Technical Security Index and Performance. A decrease in downtime and profit.
Policy Manager
Changes this week:
1. Degree of freedom given to employees regarding communications over the internet: Restricted to Free.
2. Password validity in days: 45 to 30
Rationale: Two changes were made this week within the general access policy category. The first is what was discussed in the last report which was to switch to allow non-business site browsing. The primary reason for the change to a less restrictive setting was to improve employee morale while not impacting the team’s Technical Security Index score. Following Hytema’s “security first” overall policy, the Policy Manager decided to reduce the password validity days from 45 days to 30 days. This should result in an increase in the teams Technical Security Index score. The other controls were unchanged because they were already at the more restrictive side of the security spectrum.
Expected Results: An increase in Employee Morale and Profitability and a decrease in Productivity due to the degree of freedom of communications over the Internet. A decrease in Employee Morale and Productivity due to reduction in password validity days, but an increase in the Technical Security Index.
Information Security Engineer
Changes this week: Not Applicable
Rationale: Anti-Virus will always be one of the most important settings. The Information Security Engineer must ensure that it is working with the most up-to-date signatures and advanced technologies. A scan must be done at least once a day on all systems, as scanning systems multiple times a day may slow down productivity too much. Next, the system must use only Authorized Software that has been tested keeps a clean baseline, which reduces the chances of a hacker getting in through code embedded in unauthorized software installs. Having a remote backup location and a RAID 6 level backup safeguards the integrity of backup information. Ensuring that all employees are full time and properly vetted lowers the opportunities for them to become insider threats. Additionally, patch management is imperative to ensuring the mitigation of open exploitations. All patches should be tested and vetted before they are loaded onto production systems. Finally, ensuring the physical security of assets, prevents easy access for insider threats.
Expected Results: No impact to baseline scores from previous week.
Database Engineer
Changes this week: Not Applicable
Rationale: Daily use of the Internet can cause worms and viruses to infiltrate the network. That said, it is important that Hytema restrict all user rights to decrease the number of possible vulnerabilities. It is also important that employees have access to their own domain to protect individual passwords. For this reason, Hytema employees should configure all user settings so that only authorized members are allowed to add nodes to the domain.
Virtualization vs Cloud Computing was also discussed. Virtualization is the process of mimicking “virtual” versions of infrastructural frame assets, such as calculating locations, computer network systems, storing devices or network components, as opposed to creating actual or physical forms of those same assets. A cloud infrastructure delivers shared data and software as a service via the Internet, as opposed to virtualization, which is part of a physical infrastructure (Boothe, 2013). Virtualization can also make it more manageable for end users, while allowing an organization’s IT resources to be utilized more effectively. As a result, virtualization is likely a more secure choice for Hytema.
Expected Results: No impact to baseline scores from previous week.
3.0 Lessons Learned and Next Round Strategy
It is difficult to say to what degree our decisions positively or negatively impacted our scores. We can only look at the indicators that impact a category (from the Application Model Reference Manual) and try to focus on specific indicators that we want to improve in.
For Round 2, we agreed to focus on improving our security index. This focus was mainly because we were breached in Round 1. After the simulation ran, downtime fell to a score of 124 and profitability sank, but that could have been largely due to the economic downturn and not due to our decisions this week. Scores aside, at the end of the day, the team successfully mitigated the Mentika worm risk.
The team noticed that other groups were also successful in defending against the worm. The Federal Government team had a Security Index score of 106 compared to our score of 124. It is not clear if our team would have “passed” with a score of 106, or if individual decisions made more of a difference.
Our strategy next week will likely focus on downtime and finding more of a balance between the other indicator areas. While our security index score is great it, it does the company no good if profitability and other areas continue to sink. The team has to a better job at understanding that you can’t have everything, and that making smart decisions will likely yield positive results across the board.
References
Booth, H. (2013). Difference between virtualization and clouding. www.virtualcommand.com Retrieved from http://www.virtualcommand.com/virtualization-cloud-computing-difference/.
Portokalidis, G., & Bos, H. (2007). SweetBait: Zero-hour worm detection and containment using low- and high-interaction honeypots. Computer Networks, 51(5), 1256-1274. doi:10.1016/j.comnet.2006.09.005