Task Example

[1] Use this an example as a guide for expected length, format, and
specificity in responses.
[2] As you can see the expectation is NOT an essay or a story, it is a
short answer assignment with 9 questions answered with 2-4 direct,
to the point sentences under the header for the question being
answered. Multi-part questions like question B and question I
obviously may require additional sentences to cover each required
point.
[3] Bolded text in the example are reminders of absolute must have
content!
[4] No citations or references are required, but I have provided an
example in-text citation and reference page for those who may
choose to support your work. [5] Question B requires you to discuss 4
compromise examples (Confidentiality, PII, Integrity, and Availability)
AND support 2 of those 4 using an industry standard.
[6] Question I requires you to provide a risk management approach
AND provide likelihood, severity, & impact categorizations for 2
specific risks.
[7] Be sure to base your responses on the case study in your
course. [8]

See below for the example of what your task should

look like
 Task Example

A.

One vulnerability that led to the success of the attack on Super School University (SSU) was the
use of expired antivirus software. The school decided not to renew the subscription six months ago. This
vulnerability allowed the attacker to infect 5 systems on the school network with malware. Up to date
antivirus software and signatures could have reduced the likelihood this portion of the attack occurring.

A second weakness present at the university was the outdated patch levels of all systems. The
patch management team failed to implement a critical patch to systems that left them vulnerable to easy
remote access. The attacker exploited this vulnerability to gain access a system via null credential
associated with the vulnerability they found on the dark web. Proper patching would have prevented the
unauthorized access.

B.

Confidentiality and PII were compromised when the attacker breached the university network
and accessed student records of all students enrolled in the nursing program. This unencrypted
information included student social security numbers, addresses and contact information which
constitutes PII. According to NIST SP 800-122 authors McCallister et al. (2010) “personal information
controllers should protect personal information that they hold with appropriate safeguards against risks,
such as loss or unauthorized access to personal information, or unauthorized destruction, use,
modification or disclosure of information or other misuses”.

Availability was compromised when the attacker encrypted all files within the nursing
professors’ shared space on the network preventing access to the data therein. NIST SP 800-53 (2020)
emphasizes the importance of creating and maintaining data backups to support data recovery. A
reliable backup regimen could be beneficial for SSU to recover data rendered unavailable by the attacker.
A compromise of integrity occurred due to the attacker altering data within several files and records and
completely deleting others.

C.

A federal regulation SSU was non-compliant with is the Family Education Rights and Privacy Act
(FERPA). FERPA requires U.S. colleges and universities to take reasonable methods to protect student
records. SSU stores electronic student records and personal data in an unencrypted state on systems
with no protections in place. This lack of reasonable protections is a violation of FERPA. D.

One immediate step the school should take in response to the current attacked would be to
isolate the devices infected with malware. This action would contain the known infection to prevent
spread and alo0ow for remediation to limit further damage to the network.

A second immediate step to take would be to apply the latest patch version across the systems
followed by a credentials reset. This would quickly remove susceptibility of the exploit and ensure the
attacker’s access is removed.
E.

An incident response plan will contain steps for containing an incident once it is detected or
reported. Having a plan in place at SSU that outlines effective containment strategies for an array of
potential incidents would have ensured computers infected with malware were quickly isolated to limit
damage.

Another useful aspect of an incident response plan is the preparation phase which includes
policy development as well as and training and educating staff prior to an incident occurring. This could
have been beneficial as it could have expedited the reporting of odd behavior of computer systems in
the nursing department to security and incident response personal for investigation.

F.

The following are processes SSU can implement to support reasonable protection student
records as outlined by FERPA. One process the school can take would be to employ encryption to data
shares housing student records. Steps in the process would be to first identify the type and sensitivity of
data, segment and store the data accordingly and finally encrypt the data at rest.

A second process would be to apply access controls to systems housing student records. The
steps in this process would be to first identify individuals requiring access to the data, then determine
the level of access, and finally assign accesses and generate accompanying access control lists.

G.

One technical solution that can be implemented to address remaining effects and prevent future
attacks is data encryption. Applying an effective encryption scheme for both data at rest and in transit
would provide a layer of defense that would help protect the confidentiality of data from those not
authorized to access it.

A second technical solution that could be applied is to deploy an intrusion protection system
(IPS) at the network boundary to provide a level of protection from malicious or anomalous connection
attempts. This would help in thwarting additional attempts form the current attacker and other future
malicious traffic.

H.

The recommended organization structure for SSU to support IT management, security management, and
incident handling would include the following.

The IT Director will be responsible for managing the full lifecycle of IT assets used at the school
from procurement through decommissioning to support IT management. They will report to the SSU
Associate Dean and manage the IT support staff as well as the cybersecurity staff.

The Cyber Security Manager will report to the IT manager and manage the SSU Cyber Security
Team. The Cyber Security Manager will support security management though performance of duties
such as creating and maintaining security policies and overseeing the security awareness and training
program.
 The Cyber Security Team will be led by a team lead who reports directly to the Cyber Security
Manager. The team will support efficient discovery through meticulous monitoring of security
dashboards for threats. They will ensure mitigation of incidents by performing incident response actions
in accordance with the team’s incident response plan which includes steps for containing, eradicating
and recovering from incidents.

I.

My recommendation for SSU regarding risks is to strive to reduce risks to an acceptable level by following
the steps in the following risk management approach:
(1) Identifying risks to know what risks the university faces.
(2) Categorizing risks to ascertain how likely they are to occur, how severe each is considered be,
and what the impact on SSU would be in the event a risk comes to fruition.
(3) Determine risk treatment to decide whether to accept the risk (allow it to happen), mitigate the
risk (apply some countermeasure or control), transfer the risk (purchase insurance to cover
outcome if risk happens), or avoid the risk (take measures to make yourself less susceptible to
the risk).
(4) Apply the risk treatment selected to reduce the risk to a level deemed acceptable by the
university.

One risk present at Super School University is risk of malware infection. The likelihood of this risk is
high due to the absence of effective security controls. The severity is high due to the inherent danger of
malware infection to systems. The impact categorization is high due to the cost of rectifying a potential
malware infection. Based on the categorizations of this risk, this risk should be mitigated via
implementation of effective security controls such as updated antivirus software and a properly
configured firewall.

A second risk observed at SSU is risk of power outage. The likelihood of this occurrence is low due
to the robust backup generator power and failover system in place. The severity is low compared to
other risks the school faces considering the countermeasures in place. The impact is high as such an
outage could halt classes and reflect negatively on the school reputation. The treatment for this risk
would be to accept the risk and take no further action.

References

McCallister, E., Grance, T., & Scarfone, K. A. (2010). Guide to Protecting the Confidentiality of
Personally Identifiable Information (PII). https://doi.org/10.6028/nist.sp.800-122

Joint Task Force (2020). Security and Privacy Controls for Information Systems and
organizations. CSRC. https://csrc.nist.rip/pubs/sp/800/53/r5/upd1/final