The CEO and CIO need you and your team to create an IRP and change management plan.

 

 

Security Vulnerability Report

The Security Vulnerability Report below details security issues discovered during an internal assessment review. The vulnerabilities outlined require immediate attention and must be addressed in order to prevent an impact on or loss of confidential and patient data.

Vulnerabilities Identified

Vulnerability	Threat Level	Description	Potential Impact
Lack of Password Policy	High	Single factor authorization allowing for weak passwords	Potential for passwords to be compromised
Lack of Software Configuration Management	Medium	Different configurations allowed throughout servers	Changes to servers could inadvertently cause denial of service
Lack of Incident Response Plan	High	Lack of Incident Response Policy	Attacks may not be responded to properly exposing further risk.

Incident Response Plan Recommendations

Lack of an Incident Response Plan. Incident Response Plans document procedures which associates follow in order to properly respond to incidents. The risk of data loss or corruption is higher should an employee fail to follow properly devised procedures in order to handle an incident appropriately. Lack of instituting an Incident Response Plan puts DuPage Medical Group at risk for litigation, fines, and additional financial loss. Mitigation of an incident will have a higher success rate with a properly instituted and trained Incident Response Plan.

Should a breach occur, loss or corruption of PII, financial data, company proprietary data, or information putting our business at a competitive advantage would cause a loss of patient trust and lead to a loss of investor confidence. Government mandates require our business to protect patient information financially and with regards to their personal health information. Any variance in proper procedure could allow us to face further government scrutiny should it be proven we lack policy or the ability to follow any established policy.

An Incident Response Plan should be implemented and documented with the input of all department leads. Once completed a review should be held with leadership and once approved, proper sign off by all involved parties should take place.

Password Policy

Weak passwords are a major security risk. Several associates have access to customer, employee, and contractor records. Finance and marketing have access to confidential data which could put our business at a disadvantage should our competitors have access to the data. Proper precautions need to be developed to protect our data from unauthorized access. Bad actors can easily crack common passwords with little effort. Common bad actor strategies include brute force, guessing, phishing, and dictionary attacks.

A formal Password Policy needs to be developed by information security. The policy will detail the character length requirements, strength, and duration prior to required password change. Once the policy is developed, it will be presented to leadership for formal signoff and implementation.

Software Configuration Management

Proper patch management processes are necessary to maintain confidentiality, integrity, and availability of the data on our servers. If patches are not carefully reviewed prior to release into our environment, we risk the change of compatibility issues, conflicts, or exposing our data to misconfiguration of a server. Patching should also be done in stages to ensure the availability of data while other servers are being patched. One side of the servers should remain available for use and the set being patched should be taken out of production until patching has been completed. Upon completion of patching one set of servers, they should be returned to production so that the next set of servers can move to the patching stage.

A proper patch management policy needs to be developed by the team implementing the patches. The policy should include a timeline to review the patch notes, compatibility, and testing. Uniform roll out including a change management process must be established to review the process prior to adoption and consecutive implementation going forward.

 

 

 

 

 

 

 

 

 

 

 

 

 

References

Chapple, M., Stewart, J., & Gibson, D. (2018). CISSP Certified Information Systems Security Professional Study Guide. Hoboken: Wiley.

EC-Council. (2016). Certified Network Defender. EC-Council.

Keller, G. (2020, December 9). 5 Password Policies to Up Your Securit. Retrieved from DevOps.com: https://devops.com/5-password-policies-to-up-your-security/

U.S. Department of Commerce. (2020, December 8). Information Security Handbook: A Guide for Managers. Retrieved from National Institute of Standards and Technology: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication80

 

 

 

 

Part I: Mapping Vulnerabilities to Security Controls

 

Control ID	Control Name	Vulnerability	Recommended Mitigation
AC	Access Control	Unauthorized access to sensitive information in the system. Unauthorized modification of information in the system.	Implementation of firewall and Access Control Lists. Implementation of physical security measures such as locks and smart cards. Implementation of Login credentials.
IA	Identification and Authentication	Poorly defined authentication measures such as passwords. Lack of definition of the authentication measures.	Implementation of multifactor authentication measures. Implementation of strong passwords. Implementation of the intrusion detection system and intrusion prevention system (IDS/IPS).
AT	Awareness and Training	Social engineering attacks. Execution of malware attacks. Insider attacks.	Regularly changing the passwords used in the system. Adoption of multifactor authentication measures. Educating the users on security threats and how to mitigate them. Implementation of antimalware and antivirus software.
CM	Configuration Management	Misconfigured firewalls and system settings. Outdated and unpatched software.	Conducting vulnerability testing to identify misconfigured settings in the network. Conducting penetration testing in the network. Regularly updating the software in the system with the updated versions of the software. Monitoring user activity and conducting troubleshooting activities in the network.
IR	Incident Response	Lack of a plan to prevent additional damage occurring to the system during an attack. Lack of a plan to guide the recovery process after an attack. Increase in the recovery time and costs incurred during the recovery process. Future occurrence of similar attacks.	Conducting post-incident activities to prevent future incidents of the attack. Defining an incident response plan to identify how to respond to an incident.

 

Part II: Security Controls Testing

 

Family	Vulnerability and Recommended Mitigation	Testing Procedure
Control ID: AC Control Name: Access Control	Unauthorized access to sensitive information in the system. Unauthorized modification of information in the system. Recommended Mitigation Implementation of firewall and Access Control Lists. Implementation of physical security measures such as locks and smart cards. Implementation of Login credentials.	(Review and Technical Tests) Reviewing the access control measures documentation. Conducting physical testing by reviewing the implemented access control measures. Conducting a vulnerability assessment in the system.
Control ID: IA Control Name: Identification and Authentication	Poorly defined authentication measures such as passwords. Lack of definition of the authentication measures. Recommended Mitigation. Implementation of multifactor authentication measures. Implementation of strong passwords. Implementation of the intrusion detection system and intrusion prevention system (IDS/IPS).	(Technical Test) Checking the logs generated in the system to identify any attack attempts mitigated by the security controls. Conducting attacks to test the strength of the authentication measures in the system, such as through password cracking.
Control ID: AT Control Name: Awareness and Training	Social engineering attacks. Execution of malware attacks. Insider attacks. Recommended Mitigation. Regularly changing the passwords used in the system. Adoption of multifactor authentication measures. Educating the users on security threats and how to mitigate them (McCrohan, Engel, & Harvey, 2010). Implementation of antimalware and antivirus software.	(Interviews and Observation) Conducting personnel testing to identify whether the users are aware and follow the defined security measures. Observe the users note whether they use more than one authentication measure. Attempting social engineering attacks to identify the response of the users.
Control ID: CM Control Name: Configuration Management	Misconfigured firewalls and system settings. Outdated and unpatched software. Recommended Mitigation Conducting vulnerability testing to identify misconfigured settings in the network. Conducting penetration testing in the network. Regularly updating the software in the system with the updated versions of the software. Monitoring user activity and conducting troubleshooting activities in the network.	(Technical Testing) Conducting penetration testing by attempting to exploit the system and software vulnerabilities. Analyzing the different configurations in the system to identify whether they adhere to the defined security standards.
Control ID: IR Control Name: Incident Response	Lack of a plan to prevent additional damage occurring to the system during an attack. Lack of a plan to guide the recovery process after an attack. Increase in the recovery time and costs incurred during the recovery process. Future occurrence of similar attacks. Recommended Mitigation. Conducting post-incident activities to prevent future incidents of the attack. Defining an incident response plan to identify how to respond to an incident (Farhat, McCarthy, Raysman, & Knight, 2011).	(Interviews and Observation) Interviewing users to identify whether they are aware of the procedures to follow when an attack occurs. Creating a simulation of an attack to observe whether the users are able to appropriately respond to attacks. Reviewing the incident response plan of the organization.

 

 

Part III: Penetration Testing and Vulnerability Scanning

Conducting a vulnerability scan in the organization provides information concerning the various vulnerabilities present in the system and can be exploited by attackers to compromise the system’s security. A penetration test involves assuming an attacker’s role and attempting to identify and exploit vulnerabilities in the system. Both the vulnerability scan and the penetration tests allow the organization to identify the different vulnerabilities that can be exploited by attackers to conduct attacks in the organization, with the penetration testing providing insights into the attack vectors that can be used by the attackers (Shah & Mehtre, 2015).

The process of conducting a vulnerability scan begins by identifying the system’s different vulnerabilities using vulnerability scanners. This includes scanning the different components of the system, such as servers, firewalls, and computers. Identifying the vulnerabilities in the system can consist of identifying the various open ports in the system and the misconfigured system and security settings. The vulnerability scanners make use of the information about vulnerabilities that are located in a vulnerabilities database. The next vulnerability scan process includes evaluating the different vulnerabilities identified by the vulnerabilities scanner. The evaluation process can involve identifying whether the vulnerability is a true positive or a false positive and even identifying the different attack vectors used to exploit the vulnerability. Following the identification of the risk presented by the vulnerability, the next process includes implementing measures to address the vulnerability. Various recommendations are proposed to address the noted vulnerabilities and the risk presented by the vulnerabilities. The organization can either choose to implement the recommended solutions or ignore the vulnerability if the risk is low. The vulnerability scan ends with the developed reports concerning the identified vulnerabilities and the implemented measures to address the vulnerabilities (Goel & Mehtre, 2015).

The initial stage of conducting penetration testing involves the planning and the reconnaissance, where the aims of the goals are defined as well as the scope of the testing process. In the initial stage, information about the different functions and possible vulnerabilities of the system are identified. The next process includes the scanning process, where various tools are used to scan for vulnerabilities in the system. The identified vulnerabilities are then exploited and used to gain access in the next stage of penetration testing. Penetration testing also includes the process of maintaining access to identify the duration that can be spent in the system by attackers before the attack is identified. In the final process of the penetration testing, analysis of the vulnerabilities that were exploited, the information that was accessed, and the duration spent in the system is conducted before generating a report of the entire process (Goel & Mehtre, 2015).

 

 

 

 

 

References

Farhat, V., McCarthy, B., Raysman, R., & Knight, L. L. P. (2011). Cyber-attacks: prevention and proactive responses. Practical Law, 1-12.

Force, J. T., & Initiative, T. (2013). Security and privacy controls for federal information systems and organizations. NIST Special Publication, 800(53), 8-13.

Goel, J. N., & Mehtre, B. M. (2015). Vulnerability assessment & penetration testing as a cyber defense technology. Procedia Computer Science, 57, 710-715.

McCrohan, K. F., Engel, K., & Harvey, J. W. (2010). Influence of awareness and training on cybersecurity. Journal of Internet Commerce, 9(1), 23-41.

Shah, S., & Mehtre, B. M. (2015). An overview of vulnerability assessment and penetration testing techniques. Journal of Computer Virology and Hacking Techniques, 11(1), 27-49.