Opm office of the inspector general's oig final audit report

CYB610 Project 3
Transcript

You are an Information Assurance Management Officer, IAMO, at an organization of your choosing. One morning, as you're getting ready for work, you see an email from Karen, your manager. She asks you to come to her office as soon as you get in.

When you arrive to your work, you head straight to Karen's office. “Sorry for the impromptu meeting,” she says, “but we have a bit of an emergency. There's been a security breach at the Office of Personnel Management.”

We don't know how this happened, but we need to make sure it doesn't happen again, says Karen. You'll be receiving an email with more information on the security breach. Use this info to assess the information system vulnerabilities of the Office of Personnel Management.

At your desk, you open Karen's email. She's given you an OPM report from the Office of the Inspector General, or OIG. You have studied the OPM OIG report and found that the hackers were able to gain access through compromised credentials. The security breach could have been prevented, if the Office of Personnel Management, or OPM, had abided by previous auditing reports and security findings. In addition, access to the databases could have been prevented by implementing various encryption schemas and could have been identified after running regularly scheduled scans of the systems.

Karen and the rest of the leadership team want you to compile your findings into a Security Assessment Report or SAR. You will also create a Risk Assessment Report, or RAR, in which you identify threats, vulnerabilities, risks, and likelihood of exploitation and suggested remediation.

The security posture of the information systems infrastructure of an organization should be regularly monitored and assessed (including software, hardware, firmware components, governance policies, and implementation of security controls). The monitoring and assessment of the infrastructure and its components, policies, and processes should also account for changes and new procurements that are sure to follow in order to stay in step with ever-changing information system technologies.

The data breach at the Office of Personnel Management (OPM) is one of the largest in US government history. It provides a series of lessons learned for other organizations in industry and the public sector. Some critical security practices, such as lack of diligence to security controls and management of changes to the information systems infrastructure were cited as contributors to the massive data breach in the OPM Office of the Inspector General's (OIG) Final Audit Report, which can be found in open source searches. Some of the findings in the report include: weak authentication mechanisms; lack of a plan for life-cycle management of the information systems; lack of a configuration management and change management plan; lack of inventory of systems, servers, databases, and network devices; lack of mature vulnerability scanning tools; lack of valid authorizations for many systems, and lack of plans of action to remedy the findings of previous audits.

The breach ultimately resulted in removal of OPM's top leadership. The impact of the breach on the livelihoods of millions of people is ongoing and may never be fully known. There is a critical need for security programs that can assess vulnerabilities and provide mitigations.

There are nine steps that will help you create your final deliverables. The deliverables for this project are as follows:

Security Assessment Report (SAR): This should be an 8 page double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables, or citations.

Risk Assessment Report (RAR): This report should be a 5 page double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables, or citations.

In a Word document, share your lab experience and provide screen prints to demonstrate that you performed the lab.

How Project will be evaluated

Work will be evaluated using the competencies listed below. You can use the list below to self-check your work before submission.

· 1.1: Organize document or presentation clearly in a manner that promotes understanding and meets the requirements of the assignment.

· 1.2: Develop coherent paragraphs or points so that each is internally unified and so that each functions as part of the whole document or presentation.

· 1.3: Provide sufficient, correctly cited support that substantiates the writer’s ideas.

· 1.4: Tailor communications to the audience.

· 1.5: Use sentence structure appropriate to the task, message and audience.

· 1.6: Follow conventions of Standard Written English.

· 5.2: Knowledge of architectural methodologies used in the design and development of information systems and knowledge of standards that either are compliant with or derived from established standards or guidelines.

· 5.6: Explore and address cybersecurity concerns, promote awareness, best practice, and emerging technology.

· 7.3: Knowledge of methods and tools used for risk management and mitigation of risk.

· 8.1: Demonstrate the abilities to detect, identify, and resolve host and network intrusion incidents.

· 8.2: Possess knowledge and skills to categorize, characterize, and prioritize an incident as well as to handle relevant digital evidence appropriately.

Step 1: Enterprise Network Diagram

During Project One, you researched a hypothetical or actual organization of your choice. You had to understand the goals of the organization and the types of systems that would fulfill those goals. You will now research and learn about types of networks and their secure constructs that may be used in organizations to accomplish the functions of the organization’s mission. You will propose a local area network (LAN) and a wide area network (WAN) for the organization, define the systems environment, and incorporate this information in a network diagram. Discuss the security benefits of your chosen network design.

Read about the following computing platforms available for networks and discuss how these platforms could be implemented in your organization. Include the rationale for all platforms you choose to include in your network design.

Common computing platforms

Cloud computing

Distributed computing

Centralized computing

Secure programming fundamentals

Step 2: Enterprise Threats

Review the OIG report on the OPM breach that you were asked to research and read about at the beginning of the project. The OIG report included numerous security deficiencies that likely left OPM networks vulnerable to being breached. In addition to those external threats, the report also describes the ways OPM was vulnerable to insider threats. The information about the breach could be classified as threat intelligence. Define threat intelligence and explain what kind of threat intelligence is known about the OPM breach.

You just provided detailed background information on your organization. Next, you’ll describe threats to your organization’s system. Before you get started, select and explore the contents of the following link: insider threats (also known as internal threats). As you’re reading, take note of which insider threats are a risk to your organization.

Now, differentiate between the external threats to the system and the insider threats. Identify where these threats can occur in the previously created diagrams. Relate the OPM threat intelligence to your organization. How likely is it that a similar attack will occur at your organization?

Step 3: Scanning the Network

Note: You will use the tools in Workspace for this step. If you need help outside the classroom to complete this project, register for CLAB 699 Cyber Computing Lab Assistance (go to the Discussions List for registration information). Primary lab assistance is available from a team of lab assistants. Lab assistants are professionals and are trained to help you.

Click here to access the instructions for navigating the Workspace and the Lab Setup.

Select the following link to enter Workspace, and complete the lab activities related to network vulnerabilities.

You will now investigate network traffic, and the security of the network and information system infrastructure overall. Past network data has been logged and stored, as collected by a network analyzer tool such as Wireshark. Explore the tutorials and user guides to learn more about the tools you will use. Click the following link to read more about these network monitoring tools: Tools to Monitor and Analyze Network Activities.

You will perform a network analysis on the Wireshark files provided to you in Workspace and assess the network posture and any vulnerability or suspicious information you are able to obtain. Include this information in the SAR.

You will then return to the lab in order to identify any suspicious activities on the network, through port scanning and other techniques. You will revisit the lab and lab instructions in Step 7: Suspicious Activity.

Click here to access the Project 3 Workspace Exercise Instructions.

In order to validate the assets and devices on the organization's network, run scans using security and vulnerability assessment analysis tools such as MBSA, OpenVAS, Nmap, or Nessus depending on the operating systems of your organization's networks. Live network traffic can also be sampled and scanned using Wireshark on either the Linux or Windows systems. Wireshark allows you to inspect all OSI layers of traffic information. Further analyze the packet capture for network performance, behavior, and any suspicious source and destination addresses on the networks.

In the previously created Wireshark files, identify if any databases had been accessed. What are the IP addresses associated with that activity? Include this information in the SAR.

Step 4: Identifying Security Issues

You have a suite of security tools, techniques, and procedures that can be used to assess the security posture of your organization's network in a SAR.

Now it's time to identify the security issues in your organization's networks. You have already used password cracking tools to crack weak and vulnerable passwords. Provide an analysis of the strength of passwords used by the employees in your organization. Are weak passwords a security issue for your organization?

Step 5: Firewalls and Encryption

Next, examine these resources on firewalls and auditing–RDBMS related to the use of the Relational Database Management System (i.e., the database system and data) RDBMS. Also review these resources related to access control.

Determine the role of firewalls and encryption, and auditing – RDBMS that could assist in protecting information and monitoring the confidentiality, integrity, and availability of the information in the information systems.

Reflect any weaknesses found in the network and information system diagrams previously created, as well as in the developing SAR.

Step 6: Threat Identification

You know of the weaknesses in your organization's network and information system. Now you will determine various known threats to the organization's network architecture and IT assets.

Get acquainted with the following types of threats and attack techniques. Which are a risk to your organization?

IP address spoofing/cache poisoning attacks

Denial of service attacks (DoS)

Packet analysis/sniffing

Session hijacking attacks

Distributed denial of service attacks

In identifying the different threats, complete the following tasks:

1. Identify the potential hacking actors of these threat attacks on vulnerabilities in networks and information systems and the types of remediation and mitigation techniques available in your industry, and for your organization.

2. Identify the purpose and function of firewalls for organization network systems, and how they address the threats and vulnerabilities you have identified.

3. Also discuss the value of using access control, database transaction and firewall log files.

4. Identify the purpose and function of encryption, as it relates to files and databases and other information assets on the organization's networks.

Include these in the SAR.

Step 7: Suspicious Activity

Note: You will utilize the tools in Workspace for this step.

Hackers frequently scan the Internet for computers or networks to exploit. An effective firewall can prevent hackers from detecting the existence of networks. Hackers continue to scan ports, but if the hacker finds there is no response from the port and no connection, the hacker will move on. The firewall can block unwanted traffic and NMap can be used to self-scan to test the responsiveness of the organization's network to would-be hackers.

Select the following link to enter Workspace and conduct the port scanning. Return to the lab instructions by clicking here to access the Project 3 Workspace Exercise Instructions.

Step 8: Risk and Remediation

What is the risk and what is the remediation? What is the security exploitation? You can use the OPM OIG Final Audit Report findings and recommendations as a possible source for methods to remediate vulnerabilities.

Read this risk assessment resource to get familiar with the process, then prepare the risk assessment. Be sure to first list the threats, then the vulnerabilities, and then pairwise comparisons for each threat and vulnerability, and determine the likelihood of that event occurring, and the level of impact it would have on the organization. Use the OPM OIG Final Audit Report findings as a possible source for potential mitigations. Include this in the risk assessment report (RAR).

Step 9: Creating the SAR and RAR

Your research and Workspace exercise have led you to this moment: creating your SAR and RAR. Consider what you have learned in the previous steps as you create your reports for leadership.

Prepare a Security Assessment Report (SAR) with the following sections:

Purpose

Organization

Scope

Methodology

Data

Results

Findings

The final SAR does not have to stay within this framework, and can be designed to fulfill the goal of the security assessment.

Prepare a Risk Assessment Report (RAR) with information on the threats, vulnerabilities, and likelihood of exploitation of security weaknesses, impact assessments for exploitation of security weaknesses, remediation, and cost/benefit analyses of remediation. Devise a high-level plan of action with interim milestones (POAM), in a system methodology, to remedy your findings. Include this high-level plan in the RAR. Summarize the results you obtained from the vulnerability assessment tools (i.e., MBSA and OpenVas) in your report.

The deliverables for this project are as follows:

Security Assessment Report (SAR): This should be an 8 page double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables, or citations.

Risk Assessment Report (RAR): This report should be a 5 page double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables, or citations.

In a Word document, share your lab experience and provide screen prints to demonstrate that you performed the lab.

Project 3 – SAR Outline (8-10 pages)

Note: The following is a suggested outline. You are not bind to it, however, make sure that, at the minimum, you cover all the topics.

The audience of this report is the leadership of your hypothetical (or real) organization. You can continue using the organization you used in Project 2, or choose a different organization.

Keep in mind that the use of diagrams/charts/tables greatly enhance your message.

· Title Page

· Purpose (Describe the purpose of this Security Assessment Report (SAR) based on the need of your (hypothetical) organization to assess the security of the network – this is a brief paragraph)

· Scope (State which networks are going to be covered in this assessment – this is a brief paragraph)

· Organization Network Overview (Describe the organization’s overview. Use the organization from Project 2 or a different one)

· Organization’s Mission

· Organizational Structure

· Network System Description

· Diagram of the Organization (LAN, WAN, intranet, extranet, internet)

· Identify system boundaries (inner networks separated from outside networks)

· Vulnerability Assessment Methodology (Discuss/describe how/what methodology are you going to use to evaluate the security/vulnerabilities of the organization’s network)

· Describe Network concepts

· TCP/IP model

· Firewalls

· Discuss Network Monitoring Tools

· Wireshark & Nmap

· Discuss OS Monitoring tools (Briefly review vulnerabilities found for OS [Project 2])

· MBSA/OpenVAS

· Discuss Database Concepts

· RDBMS

· Access control

· Findings

· Network-related (based on Project 3 lab findings)

· Wireshark

· Nmap

· OS-related (Briefly discuss the vulnerabilities you found in Project 2)

· MBSA/OpenVas

· Identity Mgmt (Briefly discuss the vulnerabilities IM-related you found in Project 1)

· Recommendations (discuss the recommendations you are proposing to the management of your organization – what/why. These should be actionable recommendations)

· Risk Management (discuss the [applicable] options your leadership has as they decide how to manage the risks posed by the network vulnerabilities you found)

· Accepting Risk

· Transferring Risk

· Mitigating Risk

· Eliminating Risk

References (make sure your references are written using APA style. Also make sure your in-text citations are correct. Refer to the post/discussion for APA links located in the Various Resources discussion forum)

Project 3 – RAR Outline (5 pages)

Use this sample RAR outline to apply the concepts learned in Project 3 and its scenario. There are many sample templates for RAs, and you are welcome to use a different one. However, at a minimum, the topics of this outline need to be covered. Consider the following:

· You can use the fictitious organizations from project 2 (Freedom of Pain Hospital)

· Include a title page and a reference page

· The EXECUTIVE SUMMARY for this report should be (about) 0.5-1 page long.

· Include a title page

· Present the Risk Assessment Results in a Table Format

· Present the risk-level matrix in table format

APPENDIX B: SAMPLE RISK ASSESSMENT REPORT OUTLINE (5-6 pages)

EXECUTIVE SUMMARY

I. Introduction

· Purpose

· Scope of this risk assessment

Describe the system components, elements, users, field site locations (if any), and any other details about the system to be considered in the assessment.

II. Risk Assessment Approach

Briefly describe the approach used to conduct the risk assessment, such as—

· The participants (e.g., risk assessment team members)

· The technique used to gather information (e.g., the use of tools, etc)

· The development and description of risk scale (e.g., a 3 x 3, 4 x 4 , or 5 x 5 risk-level matrix).

III. System Characterization

Characterize the system, including hardware (server, router, switch), software (e.g., application, operating system, protocol), system interfaces (e.g., communication link), data, and users.

Provide connectivity diagram or system input and output flowchart to delineate the scope of this risk assessment effort.

IV. Threat Statement

Compile and list the potential threat-sources and associated threat actions applicable to the system assessed.

V. Risk Assessment Results

List the observations (vulnerability/threat pairs). Each observation must include—

· Observation number and brief description of observation (e.g., Observation 1: User system passwords can be guessed or cracked)

· A discussion of the threat-source and vulnerability pair

· Identification of existing mitigating security controls

· Likelihood discussion and evaluation (e.g., High, Medium, or Low likelihood)

· Impact analysis discussion and evaluation (e.g., High, Medium, or Low impact)

· Risk rating based on the risk-level matrix (e.g., High, Medium, or Low risk level)

· Recommended controls or alternative options for reducing the risk.

VI. Summary

Total the number of observations. Summarize the observations, the associated risk levels, the recommendations, and any comments in a table format to facilitate the implementation of recommended controls during the risk mitigation process.

RISK ASSESSMENT REPORT TEMPLATE

[Freedom of Pain Hospital]

[Health Industry]

[Period of Assessment]

[Report Date]

Executive Summary
Brief, non-technical summary

RISK ASSESSMENT REPORT
[Company Name]

[Industry Sector]

[Period of Assessment]

[Report Date]

RISK ASSESSMENT
1. Background[footnoteRef:1] [1: Reference Security Assessment Report for Background.]

1.1 Purpose
1.2 Organization
· Description of Organization
· Organizational Structure (include diagram)
1.3 Critical Information Systems (include tables and diagrams as appropriate)
· Organization Information Systems
· Networks and Connectivity
· Important System and Network Boundaries
· External Systems and Users
· Sample Information Flow(s) and Storage
1.4 Scope Covered in Assessment (include why)
1.5 Other Related Assessments
· Completed or in progress (e.g., SAR, lab tests)
2. Assessment Approach

2.1 Active Participants
Role

Name

2.2 Passive Participants
Role

Name

2.3 Methods Employed
Method

Synopsis

2.4 Model(s) and Methods Employed
Include :

· Business impact of (insider and external) threats and technical and physical vulnerabilities to critical system(s), information, networks and interfaces to external systems and users.

· Probability of successful incident.

· How risks will be quantified

· Diagrams and/or tables showing risks will be presented for executives and others

· Reference standards and industry best practices, models and methods employed.

3. Assessment Results1[footnoteRef:2] [2: For critical system(s), information, networks and interfaces to external systems and users. Reference Security Assessment Report for threats and vulnerabilities.]
3.1 Insider Threats
Threat1

Synopsis

Impact

Probability

3.2 External Threats
Threat1

Synopsis

Impact

Probability

3.3 Vulnerabilities
Vulnerability1

Synopsis

Impact

Probability

4. Assessment Results
4.1 Rank Ordered Risk Levels (Highest to Lowest)
ID[footnoteRef:3] [3: ID: Label categories S=System, N=Network, I=Interface, D=Data or Information and give number in each category (e.g., S1, S2, N1,D1)]

Risk Level

Threat or Vulnerability1

Current Security Posture

Potential Security Measures

Estimated Cost of Each

4.2 Recommended Actions
Risk ID2

Risk Level

Threat or Vulnerability1

Recommended Security Measure

Estimated Cost

Risks Involved In Implementation