8-10 pages
Round 3
Team Members:
Robert Antis
Terry Martin Brown
John Francis Hung Scott
Candy Anna Sigel
Jacqueline Ann Snyder
UMUC
CSEC 670
Turnitin Originality Score 0%_____
1.0 Introduction
In round 3, the team had two main issues to deal with: a sudden change in the threat level and a Trojan attack. At the beginning of the week, there was no new advisory and the team spent most of its time focusing on ways to fix the areas that Hytema had not been performing well in as they should. On Wednesday, there was a sudden change in threat level as it was announced that a Trojan called Laetis was infecting computers across the country. This Trojan was able to infect systems while remaining hidden, making detection systems and procedures doubly important.
2.0 Decision Goals and Rationale
Round 3 began with Hytema team members debating how to improve the performance of the company. Over the last several weeks, Hytema has done well in disaster damage mitigation, and in contribution to the National Security Index. However, these scores have come at a cost: downtime, employee morale, and customer satisfaction.
The scores that the company has achieved have mostly consisted of small shifts. This led to a debate as to whether the team should focus on small incremental changes or to make several significant changes. The team members who proposed that the company make few changes argued that it was critical to maintain the security of the company, and that smaller changes would lead to improvements with small windows of risk. They felt that it was better to pay the cost of security upfront as opposed to risk paying to fix the damage that the Trojan could cause.
Those that argued for greater changes believed that the company could afford to take some risks and that areas like reputation and employee morale, which needed to be addressed before they festered. If Hytema’s performance didn’t improve, it could hurt the company's bottom line, which would reduce future budgets. Also, too much damage to employee morale could cause a backlash within the company. For example, there could be calls to have the authority of security personnel reduced or have employees feel forced to circumvent security in order to get work done.
The debate changed directions on Wednesday when word of the Trojan came out. The team unanimously agreed that it posed a significant threat to the company and that security needed to be tightened. Several changes that were made to ease the burden on the budget and to make the company operate more easily were undone and the security controls were increased.
Chief Information Security Officer (CISO)
Changes this week:
1. Degree of IT data storage redundancy : High
2. Focus on training area: controls : 35% to 15%
3. Focus on training area: penetration testing: 15% to 35%
Rationale: Initially, the CISO was going to suggest easing some of the redundancy and testing parameters in order to save money during the economic downturn and fix issues the company was having with downtime and morale. However, with the appearance of the Trojan, a successful attack can do more damage than the high downtime and low morale. The company will continue to report to CERT in order to get the latest info on the Trojan. The redundant data storage will go back up to high, while penetration testing training is being reemphasized. Since the Trojan attack does not carry the same public relations struggle that the hacktivist DoS attack carried, the company will only report critical or significant threats.
Expected Results: A decrease in performance due to increased data storage redundancy. However, disaster damage should be mitigated due to being able to recover data lost in any attack more efficiently.
Security Engineer
Changes this week:
1. Strength of honeypot to deploy: High interaction honeypot
Rational: For this round, the rule of thumb is to take a secure "wait-and-see" approach. Knowing what happened last week, the team would look to refocus towards making decisions that could help bring profitability back up. However, the Security Engineer does not see a reason to change the settings drastically with this week's potential Trojan horse attack. First, Kerberos and KDC spending will stay the same in case a further decrease in funds renders it not feasible to re-up the settings. Encryption, DNS redundancy, RBAC, and firewall settings are at their optimal settings. Because of this, and the Trojan threat, they will not be changed. The Security Engineer also sees no arguable reason to change the IDPS setting as well since detecting and stymieing intrusions from outside the network and via workstations is important. One setting that the Security Engineer intently looked at changing were those for the honeypot. Having an interactive honeypot, like last week's worm attack, make it an intentional target. Instead of using a low-interaction setting, a calculated risk can be taken to redirect the potential attack and gain attack information with a high-interaction honeypot (Saini, Mishra, & Sahoo, 2011). Therefore, the honeypot setting will be changed to high-interaction; this will cost $60k, but it is a good risk to take.
Expected Results: Decrease in disaster damage due to the higher level honeypot. The high-interaction honeypot will be more likely to deceive the Trojan since it is much more active and uses live software and real hardware as opposed to simply simulating them.
Policy Manager
Changes this week:
1. Degree of freedom given to employees regarding communications over the internet: Restricted to Free
2. Degree of logging of Internet access and other system actions and accesses: Critical system access only
Rationale: Morale dropped from 94 to 88 (6% reduction) in Round 2. The Policy Manager’s goal this week is to improve company morale while not significantly reducing the team’s already high security score. The Policy Manager believes that the initial policies on the internet were too restrictive. In Round 2, he opened up restrictions on browsing non-business sites. This week, the Policy Manager opened up communication on the Internet. According to the Application Model Reference guide for the simulation, these areas do not impact security and going to a free setting will also save money. He also decided to reduce the degree to which Internet actions are logged to “Critical system access only” setting. That change will further improve morale and shouldn't reduce the company’s security posture significantly. Lastly, he decided to allow five log-in attempts instead of three. The team will likely take a small hit towards the Technical Security Index, however the Policy Manager doesn't believe making it five attempts invites a significant amount of risk from three attempts.
Expected Results: Decreasing the restrictions on employees’ communication over the Internet should improve areas like downtime and employee morale, but with the risk of Laetis, it could harm security. Logging critical systems only should help with downtime and performance but again it can make things easier on the Trojan
Information Assurance Analyst
Changes this week: Not Applicable
Rationale: With an impending Trojan threat looming, It makes no practical, nor fiscal sense, to back off of particular settings such as anti-virus, authorized software policy, backup, or patch management. Since these items are front loaded, which means the largest single bulk cost for these are up front in the implementation, it is not rational to decrease their usage to save a few pennies. No changes to these items have been made. To help improve employee morale, forced job rotation and vacation have been eased up to give some sense of stability to work force.
Expected Results: No impact to baseline scores from previous week.
Database Engineer
Changes this week:
1. Spending on public relations: $85,000 to $100,000
Rationale: This week, due to the nature of the Trojan attack, Hytema’s Database Engineer has hired an additional employee. This employee will make sure all programs and anti-virus software are updated daily, and closely monitor network traffic. In addition, the department has restricted all personnel from connecting to social media sites and Internet browsing, visitation from outside personnel and downloads any attachment, including from trusted sources. Finally, employees must change all passwords; it must include a combination of symbols, numbers, upper and lower case letters.
Expected Results: No impact to baseline scores from previous week.
3.0 Lessons Learned and Next Round Strategy
Hytema was able to successfully defeat the Trojan attack in this round. The high level of security was the key factor in its success. Despite being able to thwart the Laetis Trojan, our company still took a hit in employee morale and reputation along with a further increase in downtime. Hytema once again increased our contribution to the National Security Index. The score was increase from 156 to 170. We are steadily increasing toward the max score of 200 which shows that despite the problems our company faces, our security is strongly contributing to the overall security of the country. For the Company Security Index, we increased from 124 to 128. Not a big increase, but we already had significant controls in place. For the next round, our team will need to take a heavy look into ways that we can maintain our security while improving the general performance of the company.
Hytema's problem areas are downtime, profitability and reputation. Due to the high amount of security controls in place, our downtime score increased from 129 to 144. Our security measures, while effective, are cutting into the company's ability to perform it main functions; this directly leads into our decrease in profitability. Profitability decreased this round from 63 to 45. Part of this was also due to the previous rounds economic downturn. In order for Hytema to be a successful venture, we cannot allow this index to fall any further and special consideration next round will be needed to address this. Also, despite our security successes, we are also having difficulty with reputation – down 75 to 64 – and customer satisfaction – down 70 to 58. To fix this, we will need to find ways to adjust controls that will make it easier for others to do business with us.
The team also learned about reacting to sudden changes and threats. Several team members on both sides of the debate made last minute changes to their decisions and rationale in order to compensate. The CISO was about to decrease the testing levels for quality assurance and vendor level, but with the threat of a Trojan that could remain undetected, he felt that they could not afford those changes at this time. The Database Engineer decided to hire an additional employee to monitor network traffic and ensure that it is up to date.
Reference:
Mishra, S., Sahoo, P., & Saini, H. (2011). Defense Against Trojans Using Honeypots. IUP Journal of Science & Technology, 7(3), 49-61. Retrieved from EBSCOhost.