Assessment item 3 – Red team analysis and recommendations
The ACME CISO was impressed with your work so far, and she has asked that you join her team as a consulting enterprise security architect.
Now that ACME has a clear set of security control configuration and behavioural requirements (the ACSS), you must assess the ACME information processing environment more broadly to identify any weaknesses or opportunities for improvement.
(ACME system architecture diagram to be supplied on the Interact2 subject site)
Your first task in the new role was to commission an external Red Team exercise – a controlled offensive security test designed to explore the weaknesses in the ACME environment. A summary of the Red Team findings is as follows:
- ACME users only ever authenticate with a username and password, regardless of how they access the information systems and whether the systems are on-premises or in the cloud.
- Unprotected documents were located on the ACME network that contained sensitive customer information including credit card numbers and CVV codes.
- Critical servers in the ACME data centre are accessible from every workstation, including those in the offices and warehouses.
- The ACME customer portal software was vulnerable to cross-site scripting (XSS) and session fixation attacks.
- A dummy file of ‘stolen’ sensitive corporate and customer information was successfully sent externally from an ACME workstation.
Using the information provided above you must create a report for the ACME board which describes how ACME is exposed to cyberattacks and how the security division proposes to address this. Specifically, your report should contain:
- An executive summary describing the intent of the report and a digest of the findings and any recommendations.
- A brief risk assessment, describing 3-5 credible risks faced by ACME information assets. This assessment must include the applicable threat, including vector and actor(s), and propose an inherent risk rating using a sensible and appropriate risk assessment approach.
- A selection (2-3) security controls or changes that address each of the risks you have identified.
- Demonstrated alignment between your recommendations and the ACSS requirements from the previous assignment.
Your assessment and recommendations should align with the focus area you have chosen for assignments 1 and 2.
Marking criteria and standards
The executive summary is intended to give the reader a summary of what the report will contain. It must not only introduce the topic but must summarise any key findings, dependencies, recommendations, and lessons learned.
This section should be around 10% of the entire word count – half to one page in length is a good guide.
|The summary is accurate and succinct, and clearly explains the purpose, content, and any conclusions of the report. The reader is left with an exceptionally clear sense of the thesis proposed by the author. All sections of the report are explained to an appropriate level of depth. The length of the summary is appropriate, being approximately 10-15% of the overall word count.
|Findings review and risk assessment
This section should explain how each of the Red Team findings that relate to your focus area weaken the security posture of ACME. Based on the findings and analysis of the supplied material, this section must also describe credible risks by ACME, including the agent, mechanism, and impact of harm.
|The findings are clearly, accurately and insightfully explained and the underlying weaknesses comprehensively described. An adequate number of appropriate risks are succinctly described and accurately assessed, and each has the threat agent, mechanism of harm, and impact clearly and accurately defined.
|Controls and standards alignment
This section will describe a range of security controls and/or environment changes that address the findings and threats of the previous section. The alignment between the recommendations and the weaknesses or gaps identified must be clear. The recommendations must also be aligned with the new security standards (ACSS).
|A suitable number of insightful, accurate, and appropriate controls or changes are suggested for each threat identified. Each control or change is clearly and succinctly described and is supported by literature. The suggestions are clearly linked to appropriate requirements documented in the ACSS such that the linkage to security policy objectives is clear.
|Presentation and referencing
Your grammar, spelling, and sentence structure must be accurate and professional. The format of the submission must befit a corporate or government institution. The presentation must be clean and professional, and the message clearly conveyed at all times.
Appropriate referencing should be included using APA 7th Edition, and the reference list should contain a minimum of 6 appropriate references.
|Grammar and spelling contain no errors.
Sentence and paragraph structure is accurate and cohesive, and the ideas flow throughout the essay. CSU/IT Masters formatting standards are closely followed.
Overall presentation is professional and fastidiously edited, and commensurate with a master’s level submission.
Referencing and citation are properly and judiciously implemented, and a large amount of high-quality literature has been researched.