Shawn’s C843 Example: The King’s Gate Guard

Case Study: A palace within the “Three Kingdoms” region experienced an attack recently. Commented [DSL1]: A non-government organization
Yesterday (Friday), the palace’s guards allowed untrained guards to man the gate while they played operating under the auspices of a Federal Agency
cards and drank ale as they do every Friday night. The guards-in-training accepted an unusually Commented [DSL2]: The Federal Government
large package into the palace without inspecting the contents. This morning (Saturday), a young
Commented [DSL3]: Vulnerability likened to an
guard-in-training noticed an enemy helmet on the ground, the open, empty package crate w/ exiting untrained user who indiscriminately clicks on email links
footprints visible and the palace back gate open and unguarded. He wondered if what he was seeing
Commented [DSL4]: Threat likened to a malware
was related to the commotion he heard coming from the palace armory during the night. Further dropper introduced into the network by an unsuspecting
investigation revealed; the King and several knights and guards were dead, the king's war council user
room had been accessed, maps, battle plans, the palace population’s calendar year 1491 income tax Commented [DSL5]: Evidence and remnants of an attack
documents were missing, a royal lineage document had been craftily re-written and left behind, and that can be used to deduce what happened
the armory entrance had been destroyed preventing entry. The king’s guard at this particular palace Commented [DSL6]: Evidence of attack impact likened to
is a known lax unit and it is known that many chamber door locks are broken and others just left missing/altered/inaccessible information
unlocked inside the palace. Commented [DSL7]: Vulnerabilities likened to
poor/nonexistent firewall implementations
A. Success of the Attack

A group of enemy soldiers likely conducted surveillance on the palace to guestimate the front gate
would be vulnerable to a breach on Friday night. The enemies likely exploited the vulnerability of
absence of an inspection and in-processing policy for deliveries coupled with the lax guards to have a
giant crate admitted unmolested and left inside. The soldiers likely smuggled themselves into the palace
when the untrained guards allowed the crate inside. They then likely emerged from the crate later,
overtook the lax night guards and opened the back gate to let other soldiers in. Once inside the soldiers
likely took advantage of additional physical security vulnerabilities such as unlocked doors to stealthily
access and kill the king and knights in their sleep, and access off-limits areas of the king’s chambers and
palace grounds to cause damage. Commented [DSL8]: A plausible theory of what
happened based on the circumstances outlined in the case
B. CIA, PII, and Standard Framework Compliance study.

The “Three Kingdoms” Palace Security Framework (TKPS) outlines guidelines for all kingdoms in this Commented [DSL9]: Industry standard framework
particular region to follow standard minimum palace security protocols and best practices. (BossKing, likened to FISMA FIPS 200, ISO 27002 etc.
1485). Some basic areas from the TKPS include provisions for palaces security personnel to (1) inspect Commented [DSL10]: You will have to include APA style
all packages before permitting them inside the palace, (2) always having fully trained guards manning all in-text citations
palace entry points 24/7, (3) inspecting all palace door locks weekly to ensure functionality. All three of
these provisions were ignored by the palace and ultimately resulted in compromise of confidentiality,
integrity, availability, and PII during the attack. The following are instances of

• Confidentiality – Once the soldiers infiltrated the palace, they exploited the vulnerabilities in
physical security to access and view private information in the king’s chambers including battle
plans and lineage documentation.
• Integrity – The soldiers exploited vulnerabilities in package processing procedures to
compromise the integrity of the palace wall. They also exploited vulnerabilities physical security
to access and modify documents.
• Availability – The soldiers likely made off with some of the palace’s armory contents. To add
insult to injury, they blocked off access to the armory, temporarily prohibiting availability of
 contents to remaining palace guards. The soldiers also stole the copy of the king’s maps and
battle plans making them no longer available to the remaining palace personnel.
• PII – The soldiers gained access to the palace’s Medieval IRS tax statements for all the palace
residents which contained personal information about everyone. Commented [DSL11]: Explanation of how CIA and PII was
compromised. Clearly identify an instance of each
C. Regulations (confidentiality, integrity, availability, and PII) with a specific
example from the case study
Two “Three Kingdoms” regulations were blatantly violated by the kingdom within the case study: The
Three Kingdoms Privacy Document Act (PDA). The PDA makes it punishable by a fine of 1000 gold coins Commented [DSL12]: Likened to actual specific federal
for failure to securely store and control access to documents containing private information of palace regulations. Examples include regulations such as Privacy
Act 1974.
residents. The kingdom violated the PDA by failing to properly lock away copies of the files. The KGRA
makes it punishable by imprisonment for allowing guards who have yet to complete their Medieval
Computer-based training course entitled “How to be a Guard” to perform guard duties unsupervised by
a fully trained guard. The palace guards violated the KGRA the night of the breach by allowing untrained
guards to run the palace gate. Commented [DSL13]: Specific from the case study to
serve as evidence of violation
D. Immediate Steps

Although there are several long-term actions that will need to be taken to recover from and prevent
future incidents related to the attack, there are also several that should be taken now to mitigate the
impact of the attack. Below are several recommended immediate actions:

• Conduct a sweep of the kingdom walls and internal spaces to identify any residual malicious
presence, new vulnerabilities, and additional findings to facilitate assessment of damage and
impact to prioritize fix actions
• Secure the front and back palace gates (close, lock, ensure presence of fully trained guards,
immediately start enforcing KGRA, implement standing procedure for package inspection until
palace policy is released). – This will prevent a similar reentry of unwanted malicious “packages”
• Replace/fix locks.
• Retrieve backup copies of stolen documents in order to adjust palace defenses and battle plans
based on attacker knowledge
• Notify palace residents and Three Kingdoms higher echelon privacy administration of the PII leak
• Dig out Armory entrance to allow remaining guards to arm themselves to defend the kingdom
• Exercise order of succession to get a new decision maker in place to oversee policy development
and implementation Commented [DSL14]: Steps recommended to be taken
“now” to mitigate impact (primarily the containment and
E. Incident Response Plan eradication portions of incident response)

An incident response plan would have enabled palace security to perform identification, containment,
eradication, and restoration activities in a more prompt, organized and efficient manner. Having a plan
in place would provide a protocol to systematically guide responders through thought-out response
actions vice off of emotion or non-action due to not knowing. A plan in place at the palace could have
possibly expedited and/or stopped events from occurring, had proper initiation and notifications been
made during the night when the guard-in training heard the non-normal commotion coming from the
Commented [DSL15]: For this section ask yourself the
armory… following questions and revolve your discussion around
answers to them: If an incident response plan had been in
place, what could have been different? What could have
been prevented, what could have been protected?
F. Recommended Processes

To bring the kingdom into compliance with the violated regulations and heighten information assurance
levels, the following processes are recommend for implementation:

• To overcome the identified violations of the PDA the following actions are recommend – Create,
implement and enforce policy to - Designate custodian(s) of documents who will ensure privacy
documentation is properly locked away in a designated room in the palace and also locked
inside locked cabinets both with limited and controlled access. Enforce logging of access, keep
backups offsite…

G. Recommended Technical Solutions

Use custom cipher/scrambler mechanisms to “encrypt” battle plans to prevent compromise in the event
of loss, theft, or prying eyes. The guards should also implement [additional technical control here] to
prevent XYZ from recurring… Commented [DSL16]: A common mistake in this section
is students listing administrative solutions such as training
H. Organizational Structure and policy development and implementation for technical
controls. You will need to list the actual “technical” solution
Head of palace security (HOPS) who reports directly to the king on all things involving palace security. recommendation
Responsible for protecting the king, as well as development, implementation of and overall enforcement
of palace security policy approved by the King. Manage the palace guard force including the gate guard
team, emergency response team and document security team. Each team will have a team lead that
will report to the HOPS on security items under their perspective purview. The HOPS and subordinate
teams will work collectively to protect the king, palace boundaries, and palace grounds from intruders.

Gate guard team will be responsible for implementing and enforcing policy and procedures directed by
the HOPS. The guard team’s responsibilities will include properly manning and protecting the palace
gates and walls with trained guards, properly inspecting personnel and packages entering/leaving the
palace, initiating palace emergency response actions at the first sign of trouble according to security
standard operating procedures.

When called upon, the palace emergency response team (PERT) will augment the gate guard to stop to
impending or ongoing intrusions. Duties of the PERT will include removing unwelcomed infiltrators,
augmenting gate team to reinforce palace boundaries, manning palace armory, sweeping palace
grounds for damage assessment, reporting findings to HOPS. The PERT will also interface with the
document security team during palace sweep activities to verify safety and tact of important palace
documents.

The palace document security team will consist of data custodians and scribes who carry out functions
to provide layered protections to important palace documents. Duties include…
I. Risk Management Approach
A risk management approach conducive to early, proactive engagement in handling risk is
recommended for the palace security team to adopt. The actual risks that predicated the attack
Commented [DSL17]: Recommend your org structure.
This can be role-to-actual names, teams, roles only etc. The
key is to articulate relationship of the roles/teams to each
other, what their individual functions are, and how
collectively the functions will foster efficient discovery and
mitigation of future incidents
coupled with best practices should drive development of the approach as a standard moving forward.
The following bullet points outline the risks observed form the case study categorized in terms of
likelihood, severity, and impact.

Unauthorized entry at palace gate

• Likelihood: Medium – untrained guards, social engineering vulnerabilities, lax security practices
• Severity: High – a breach by an unauthorized individual could lead to theft, sabotage, injury, da
• Impact: High – negates protections provided by the wall and moat, could cost life of the king

Additional identified risk

• Likelihood
• Severity
• Impact

Additional identified risk

• Likelihood
• Severity
• Impact

Based on the above risks, the palace security team should incorporate best practices for risk
management outlined in [your choice of risk management framework i.e. NIST 800-37] to provide a
standard for managing existing and future risks. The approach should incorporate entail at a minimum,
procedures for (1) identifying, (2) analyzing, (3) evaluating/assessing, (4) applying a solution to, and (5)
monitoring risks. This would allow palace security to reduce risks to an acceptable level prior to them
fully materializing, and also enable posturing to mitigate anticipated future risks.

The Identification step of the approach would consist of XYZ

The Analysis step of the approach would consist of XYZ
The Evaluation/assessment step of the approach would consist of XYZ
The solutions step of the approach would consist of XYZ
The monitoring step of the approach would consist of XYZ

With this approach in place before the attack, a risk such as the potential for a non-forced breach at the
gate would have been identified, categorized, and received a solution that would have reduced the risk
to level with the lowest possible likelihood of occurrence beforehand. This in turn would have likely
prevented… Commented [DSL18]: Individually categorize the risks
you observed and then discuss the risk management
approach you recommend moving forward. Justify
reasoning for your recommendation.

References

BossKing, J (1485) Three Kingdoms Palace Security Framework in a Nutshell Commented [DSL19]: You will have to include an APA-
style reference page