1.For the organization MIT, what are the controls (technical, physical or administrative) that you will implement to make it secure and fulfills the CIA triad within the university and departments and when contacting the internet? (Provide a figure for your controls and explain why using them). Please note that you have to mention technical/physical and administrative controls.
2.What kind of risks that you might accept (not to implement controls for them) and why? For the risks that you either decided to accept, or for the unexpected risk, how do you plan to handle them?
3.Give an example of a duty of the Incident response planning, Disaster recovery planning and Business continuity planning when having an unexpected event.
4.Refer back to any resource to explain the difference between Host Intrusion Detection System(HIDS) and Network Intrusion Detection System (NIDS)?
5.Literature review on signature based detection and anomaly based detection?
Case Study (1): Victim of Social Engineering
Throughout the process, the auditor found countless examples of lax information security throughout the organization. There was a lack of a coordinated security policy, and the policies in place were not being followed. While reviewing the notes, the auditor noticed that a contractor requested the TMS server address over the phone. Further follow up revealed that a system administrator gave out the server address to a contractor because the contractors were in the middle of upgrading servers. The administrator also mentioned that the contractor requested the password, but the administrator didn’t feel comfortable sharing the password on the phone and asked the contractor to stop by the office – but the contractor was a no show. From the description of the events, the auditor felt it was a social engineering attempt. Social engineering is when a hacker attempts to gain access to sensitive information by tricking a person into giving it to them. The immediate recommendation of the auditor was to focus on the contractor’s activity in the organization.
Over the next few weeks the story unfolded and all the pieces of the puzzle were put together. It was eventually proven that the contractor stole the information. The contractor was hired to oversee the upgrade of servers on the storage network. While doing this, she learned about the transaction management system. She knew PII could be sold on the black market and thought the lax security at TKU would enable her to get away with stealing data without any repercussions. Her only obstacle was access. Since she only had access to the storage network, she needed a way to get access to the transaction management server. That’s when she called the system administrator and got the IP address and tried to get his login credentials. Once she got the IP address, she was able to utilize the free tools available on the Internet to scan the system and get the username and password with administrative access. It took her only a matter of minutes to get this information.
The password was only three characters long and didn’t use any numbers or special characters. With her new administrative permissions, she was able to export the PII.
Write a Memo that discusses the serious of the situation and highlight key breaches, including ITSec recommendations.
Case Study (2): Data Breach
Early one morning, Don was ushered into a closed door meeting with the Chief Finance Officer, the CIO, and an external security auditor he hadn’t met before. In the meeting Don learned that large amount of data, including the PII, was exported from the system. The previous day Gary was going through the logs to see if the patch he applied worked correctly, and he noticed that someone in the administrator group had exported a large amount of data at an odd time. Gary reasoned that no one should be accessing the system at 2am, and he was concerned because a large amount of data was exported. After bringing up the issue to management, it was decided that the Finance division would investigate the issue. Therefore, the responsibility to figure out exactly what happened fell on Don. He was asked to work with an auditor to find out exactly what happened.
Don left the meeting feeling overwhelmed and disconcerted; he knew nothing about security practices and he wasn’t happy about working with the auditor. He had recently inherited the system and didn’t know much about it. He did know that he had to find the source of the leak before more student information was lost and he knew his job might be on the line.