Information Technology Assignment 1 Unit Security.pdf

INFORMATION TECHNOLOGY ASSIGNMENT 1

Re-submission dateDate received (2nd

1

Grade:Assessor Signature:Date:

Internal Verifier’s Comments:

Signature & Date:

2

1.3 M1 Propose a method to assess and treat IT security risks 21

CHAPTER 2 IT SECURITY SOLUTIONS 38

2.1 P3 Identify the potential impact to IT security of incorrect configuration of firewall policies and IDS 38

3

Figure 1- 8 Third-party attacks 16

Figure 1- 9 Terrorism 17

Figure 1- 10 Access Control Procedures 19

Figure 1- 11 Security Incident Response Procedures 20

Figure 1- 12 Security Awareness Training 21

Figure 1- 13Assessing IT security threats 22

Figure 1- 14Vulnerability Assessment 23

Figure 1- 15Penetration Testing 24

Figure 1- 16Threat Modeling 25

Figure 1- 17Security Information and Event Management (SIEM) tools 26

Figure 1- 18Network Traffic Analysis 27

Figure 1- 19User Behavior Analytics (UBA) 28

Figure 1- 20 IT systems 29

Figure 1- 21 Governance and control 30

Figure 1- 22 External Threats 31

Figure 1- 23 Firewall 32

Figure 1- 24 Anti-virus and anti-intrusion software 33

Figure 1- 25 Data encryption 34

Figure 1- 26 Network monitoring 35

Figure 1- 27 Network monitoring 36

Figure 1- 28 Employee training 37

Figure 2- 12Access points 47

Figure 2- 13Load balancer 47

4

5

The 1st and 2nd floors are for employees, divided into 20 departments

• In which there are 20 departments for employees including departments such as engineering, accounting, and business, each with 10 desks, a computer with a wired network and a printer Each floor has 10 identical rooms A VLAN system is created for each branch

Performed by students: Nguyen Trinh Anh Tuan Instructor: Nguyen The Xuan Ly

• The remaining rooms are allocated for private purposes such as storage, document room, meeting room, event room and reception hall Each room will have 2 computers and 1 projector, a separate reception hall that can accommodate 5 wired computers and a 50-inch projection screen • The wireless system provides wireless connectivity for 300 devices at the same time, the access

point is installed on the first floor in the center of the reception hall • The 3rd floor will contain 1 ISP

engineering attacks, phishing, theft, or hacking, and can cause significant damage to an organization's reputation, financial stability, or operations It is important for individuals and organizations to identify and mitigate potential threats in order to minimize the risk of harm or loss

2 Identify threats agents to organizations

The agents of security threats to organizations can include individuals, groups, or organizations with malicious intent, such as cybercriminals, hackers, insider threats, competitors, and even natural disasters

• Phishing: Phishing is a technique that involves sending fraudulent emails or other

communications that appear to come from a trustworthy source in order to trick the recipient into providing sensitive information

• Social engineering: Social engineering is the use of psychological manipulation to deceive individuals into divulging sensitive information or performing actions that are not in their best interest

• Insider threats: Insider threats occur when a current or former employee, contractor, or business partner uses their access to sensitive data or systems for malicious purposes

• Cyber espionage: Cyber espionage involves the theft or unauthorized access of sensitive information or intellectual property for economic, political, or military gain

These are just some of the most common types of security threats that organizations face It is important for organizations to have comprehensive security measures in place to protect against these threats

1.1.2 Here are some types of security threats that organizations may face: • Cyberattacks:

A cyberattack is an attempt by a threat actor to gain unauthorized access to or cause damage to computer systems, networks, or devices using digital technologies such as the internet, software, or hardware Cyberattacks can have various objectives, including stealing sensitive data, disrupting operations, damaging systems or hardware, or using compromised resources for further attacks Here are some common types of cyberattacks:

• Malware: Malware is malicious software designed to damage or gain unauthorized access to computer systems or data Examples include viruses, Trojans, and ransomware

• Phishing: Phishing is a technique that involves sending fraudulent emails or other communications that appear to come from a trustworthy source in order to trick the recipient into providing sensitive information

• Denial-of-service (DoS) attacks: A DoS attack occurs when a network or website is overwhelmed with traffic, causing it to crash or become unavailable

• Man-in-the-middle (MitM) attacks: A MitM attack involves intercepting communications between two parties in order to steal or modify data

• SQL injection attacks: A SQL injection attack targets databases by injecting malicious code into input fields to gain unauthorized access to data or modify it

• Zero-day exploits: A zero-day exploit takes advantage of a previously unknown vulnerability in a software application or system before a patch or update is released to fix it

• Advanced persistent threats (APTs): APTs are long-term targeted attacks that use sophisticated techniques to gain unauthorized access to sensitive data or systems

It is important for individuals and organizations to be aware of these types of cyberattacks and implement security measures to protect against them, such as firewalls, antivirus software, and regular software updates

Figure 1- 2 Cyberattacks

• Insider threats

Insider threats are security risks that originate from within an organization They involve an individual with authorized access to an organization's systems, data, or physical assets using that access for malicious purposes Insider threats can be intentional or unintentional, and can arise from a variety of motives such as financial gain, revenge, or personal beliefs Here are some common types of insider threats:

Malicious insiders: Malicious insiders are individuals who intentionally abuse their access to sensitive data or systems for personal gain or to cause harm to the organization This can include stealing confidential information, modifying or destroying data, or disrupting operations Accidental insiders: Accidental insiders are employees who inadvertently cause a security breach by accidentally sharing sensitive information or falling for a phishing scam

Negligent insiders: Negligent insiders are employees who violate security policies and procedures, such as failing to properly secure passwords or leaving sensitive data on an unsecured device Third-party insiders: Third-party insiders include contractors, vendors, or business partners who have access to an organization's systems or data and may pose a security risk if their security practices are not properly vetted and monitored

It is important for organizations to have a comprehensive insider threat program that includes background checks, access controls, monitoring of employee activity, and training on security policies and procedures By understanding and mitigating insider threats, organizations can better protect their sensitive data and systems from unauthorized access and misuse

Figure 1- 3 Insider threats

• Physical security threats

Physical security threats are risks to an organization's people, property, and assets that arise from physical events or actions Physical security threats can include natural disasters, theft, vandalism, and terrorism Here are some common types of physical security threats:

• Natural disasters: Natural disasters such as earthquakes, floods, hurricanes, and wildfires can cause damage to an organization's facilities, disrupt operations, and harm employees • Theft: Theft of physical assets such as equipment, inventory, or cash can lead to financial

loss and disruption of operations

• Vandalism: Vandalism, such as graffiti or destruction of property, can harm an organization's reputation and cause financial loss

• Workplace violence: Workplace violence, including physical assaults or threats of violence, can endanger employees and disrupt operations

• Terrorism: Terrorism involves acts of violence or intimidation designed to achieve political or social objectives and can result in loss of life, damage to property, and disruption of operations

• Sabotage: Sabotage involves intentional damage to an organization's property or systems with the goal of causing harm or disruption

• Cyber-physical attacks: Cyber-physical attacks involve the exploitation of vulnerabilities in digital control systems to cause physical damage or disruption, such as a hacker gaining control of a building's HVAC system and causing a fire

It is important for organizations to have a comprehensive physical security plan that includes measures such as access controls, surveillance systems, emergency response procedures, and regular training and drills to prepare for potential physical security threats

Figure 1- 4 Physical security threats

• Social engineering attacks

Social engineering attacks are a type of cyber attack that involves manipulating people into divulging confidential information, performing an action, or allowing access to a system or data These attacks use psychological tactics to exploit human behavior and bypass technical security measures Social engineering attacks can take many forms, but here are some common types:

• Phishing: Phishing is a type of social engineering attack that involves sending fraudulent emails or other communications that appear to come from a trustworthy source in order to trick the recipient into providing sensitive information

• Pretexting: Pretexting involves creating a fake scenario or identity in order to gain access to sensitive information For example, an attacker might pose as an IT support technician to trick an employee into providing login credentials

• Baiting: Baiting involves offering something of value, such as a free USB drive or gift card, in order to entice an individual to click on a malicious link or download malware

• Scareware: Scareware involves presenting false or misleading information in order to scare an individual into taking an action, such as downloading fake antivirus software

• Spear-phishing: Spear-phishing is a targeted form of phishing that involves researching an individual or organization in order to craft a personalized message that is more likely to be successful

• Vishing: Vishing involves using voice or telephone communication to trick an individual into divulging sensitive information or performing an action

It is important for individuals and organizations to be aware of social engineering attacks and take measures to protect against them, such as implementing security awareness training, multi-factor authentication, and email filters to detect and prevent fraudulent messages

Figure 1- 5 Social engineering attacks

• Natural disasters

Natural disasters are events caused by natural phenomena that can cause damage, loss of life, and disruption to an organization's operations Natural disasters can include hurricanes, floods, earthquakes, tornadoes, wildfires, and other events Here are some common types of natural disasters and their potential impact on an organization:

• Hurricanes: Hurricanes can cause flooding, power outages, and damage to buildings and infrastructure, leading to disruption of operations and loss of revenue

• Floods: Floods can damage buildings, destroy inventory and equipment, and disrupt transportation, causing delays and financial loss

• Earthquakes: Earthquakes can cause damage to buildings and infrastructure, leading to disruption of operations and loss of revenue

• Tornadoes: Tornadoes can damage buildings, destroy inventory and equipment, and disrupt transportation, causing delays and financial loss

• Wildfires: Wildfires can damage buildings, destroy inventory and equipment, and disrupt transportation, causing delays and financial loss

Organizations should have a comprehensive disaster recovery and business continuity plan that includes measures such as emergency communication procedures, evacuation plans, backup and recovery procedures for data and systems, and alternate facilities or remote work options By being prepared for natural disasters, organizations can minimize the impact on their operations and quickly recover from any disruptions

Figure 1- 6 Natural disasters

• Supply chain attacks

Supply chain attacks are a type of cyber attack that targets the network of a company's suppliers, partners, or vendors in order to gain access to the company's systems or data In a supply chain attack, attackers look for vulnerabilities in the systems of a third-party vendor, which can be used to launch an attack against the company that uses the vendor's services or products Here are some common types of supply chain attacks:

• Malware injection: Malware can be injected into the software or firmware of a supplier's product, which can then infect the customer's system when the product is installed or updated • Third-party software vulnerabilities: Attackers can exploit vulnerabilities in third-party software or

applications that are used by the supplier or vendor, allowing them to gain access to the customer's system

• Vendor email compromise: Attackers can impersonate a supplier or vendor via email or other communication channels in order to trick employees into providing access credentials or sensitive information

• Hardware manipulation: Attackers can manipulate hardware components or devices during the supply chain process in order to insert backdoors or other malicious elements into the system • Counterfeit components: Attackers can replace legitimate components with counterfeit ones,

which can contain malware or other malicious elements that can be used to gain access to the customer's system

To protect against supply chain attacks, companies should establish a strong vendor management program that includes regular security assessments, due diligence, and verification of the integrity of the components and software used in the supply chain Companies should also implement strong access controls, monitoring, and incident response procedures to quickly identify and respond to any supply chain attacks

Figure 1- 7 Supply chain attacks

• Third-party attacks

Third-party attacks are a type of cyber attack that targets an organization through a third-party vendor, partner, or contractor that has access to the organization's systems, data, or networks In a third-party attack, attackers use vulnerabilities in the security of a third-party service provider to gain access to the targeted organization's data or systems Here are some common types of third-party attacks:

• Credential theft: Attackers can steal the login credentials of a third-party service provider to gain access to the targeted organization's systems or data

• Supply chain attacks: Attackers can compromise a third-party vendor or supplier and use their access to the targeted organization's systems

• Malicious software or code: Attackers can inject malware or malicious code into a third-party application or software, which can then be used to gain access to the targeted organization's systems or data

• Email phishing: Attackers can use email phishing scams to trick employees of a third-party vendor or supplier into providing access to the targeted organization's systems or data

• Social engineering: Attackers can use social engineering tactics to manipulate employees of a party vendor or supplier into providing access to the targeted organization's systems or data To protect against third-party attacks, organizations should implement strong vendor management policies, including thorough security assessments, due diligence, and continuous monitoring of third-party vendors and suppliers Organizations should also implement strong access controls, monitoring, and incident response procedures to quickly identify and respond to any third-party attacks Additionally, organizations should provide regular security awareness training to their employees to help them recognize and avoid social engineering and phishing scams

third-Figure 1- 8 Third-party attacks

• Terrorism

Terrorism refers to the use of violence or threat of violence by individuals or groups to achieve political, religious, or ideological goals Terrorism can pose a significant threat to organizations, particularly those that are involved in critical infrastructure or high-profile industries Here are some examples of how terrorism can impact organizations:

• Physical damage: Terrorist attacks can cause physical damage to buildings, infrastructure, and equipment, which can lead to disruption of operations, loss of revenue, and potentially harm to employees and customers

• Loss of life: Terrorist attacks can result in loss of life, which can have a profound impact on the affected organization, its employees, and its customers

• Economic disruption: Terrorist attacks can cause economic disruption, particularly in industries such as transportation, tourism, and hospitality, which can lead to significant financial losses • Reputational damage: Terrorist attacks can harm an organization's reputation and brand,

particularly if the organization is seen as being vulnerable to such attacks

Organizations should have a comprehensive security plan that includes measures such as physical security, access controls, employee training, and emergency response procedures to mitigate the risk of terrorist attacks In addition, organizations should stay up-to-date on the latest terrorist threats and work with law enforcement and other relevant authorities to assess and mitigate the risks to their operations

Figure 1- 9 Terrorism

One example of a recently publicized security breach is the SolarWinds hack, which was discovered in December 2020 The hack affected SolarWinds' Orion software, which is used by numerous organizations, including the US government and major corporations It was later revealed that the hack was conducted by a Russian state-sponsored group known as APT29, also known as Cozy Bear

The consequences of the SolarWinds hack have been significant The hackers were able to access sensitive information from various organizations that used the compromised software This included emails, documents, and other confidential data The US government was one of the major targets of the hack, with several federal agencies being affected, including the Department of Defense, the Department of Homeland Security, and the Department of Justice The hackers were also able to access email accounts belonging to top-level officials, including the Secretary of State and the Director of National Intelligence

In addition to the theft of sensitive information, the SolarWinds hack has also raised concerns about the security of supply chains The hackers were able to breach SolarWinds' software development process, allowing them to insert malicious code into the software This has led to questions about the security of other software products and the need for increased oversight of the software supply chain

To prevent similar security breaches, organizations should consider implementing a range of security measures This may include conducting regular security audits and assessments, using multi-factor authentication, and implementing security protocols that limit the access of external users to sensitive systems and data Additionally, organizations should consider using more secure software development practices, including rigorous testing and code reviews, to ensure that their software is not

of access control procedures:

• Authentication refers to the process of verifying the identity of a user who is attempting to access a system or application This can include the use of passwords, smart cards, biometric scanners, or other authentication methods

• Authorization refers to the process of determining what resources or information a user is authorized to access once their identity has been verified This can include access levels, roles, and permissions

• Physical access controls include measures such as locks, access cards, and security cameras to control access to facilities and sensitive areas within those facilities

• Network access controls include firewalls, intrusion detection and prevention systems, and other technologies that are used to monitor and control access to an organization's network • Effective access control procedures also include ongoing security awareness training for employees

to help them understand the importance of access control and to ensure that they follow established procedures

By implementing effective access control procedures, organizations can significantly reduce the risk of unauthorized access to their systems and data Access control procedures should be regularly reviewed and updated to ensure that they remain effective and that they keep pace with changes in technology and threats to the organization's security

Figure 1- 10 Access Control Procedures

• Security Incident Response Procedures

Security incident response procedures are a set of documented procedures that organizations follow to detect, investigate, contain, and recover from security incidents Security incidents can include cyber attacks, data breaches, physical security breaches, and other security-related incidents that could negatively impact an organization's systems, data, or operations Here are some examples of security incident response procedures:

1 Incident detection: Organizations use security monitoring tools and techniques to detect potential security incidents, such as suspicious network activity or unauthorized access attempts 2 Incident investigation: Once a security incident is detected, organizations initiate an investigation

to determine the scope, impact, and cause of the incident

3 Incident containment: After the scope of the incident is understood, organizations take steps to contain the incident and prevent further damage This could include isolating affected systems or networks, disabling user accounts, or blocking network traffic

4 Incident recovery: Once the incident is contained, organizations work to recover from the incident and restore affected systems and data to their normal state This could include restoring from backups, reinstalling software, or implementing new security controls

5 Incident reporting: Organizations report security incidents to relevant stakeholders, such as law enforcement, customers, or regulators, as required by law or policy

Effective security incident response procedures are critical to minimizing the impact of security incidents and restoring normal operations as quickly as possible Organizations should regularly review and update their security incident response procedures to ensure that they remain effective and that they reflect changes in the organization's systems, data, or operations Additionally, organizations should regularly conduct security incident response drills to test their procedures and ensure that their staff is prepared to respond effectively to security incidents

Figure 1- 11 Security Incident Response Procedures

• Security Awareness Training

Security awareness training is a type of training that organizations provide to their employees to help them understand and recognize security threats and how to respond to them The goal of security awareness training is to educate employees about their role in protecting the organization's assets, such as its data, systems, and facilities Here are some examples of security awareness training:

1 Phishing awareness: Phishing is a common tactic used by attackers to trick individuals into revealing sensitive information, such as usernames and passwords Security awareness training can educate employees on how to recognize and avoid phishing attacks

2 Password management: Passwords are a critical component of security, and employees should be trained on best practices for creating and managing passwords, such as using strong, unique passwords and not sharing passwords with others

3 Social engineering awareness: Social engineering attacks, such as pretexting and baiting, are designed to manipulate individuals into revealing sensitive information Security awareness training can help employees recognize and avoid social engineering attacks

4 Data classification: Security awareness training can educate employees on how to classify and handle sensitive data to prevent data breaches and unauthorized access to sensitive information 5 Incident reporting: Employees should be trained on the proper procedures for reporting security incidents, such as data breaches or suspicious activity, to the appropriate personnel within the organization

By providing security awareness training, organizations can help employees understand the importance of security and how to recognize and respond to security threats This can help to minimize the risk of security incidents and protect the organization's assets Security awareness training should be an ongoing process and should be regularly reviewed and updated to reflect changes in technology and threats to the organization's security

Figure 1- 12 Security Awareness Training

These security procedures can be effective in improving organizational security By implementing access control procedures, organizations can limit the risk of unauthorized access to sensitive information or resources Security incident response procedures can help organizations respond quickly and effectively to security incidents, minimizing the impact on the organization Security awareness training can help employees identify and avoid security risks, reducing the likelihood of security incidents occurring in the first place

1.3 M1 Propose a method to assess and treat IT security risks

Assessing IT security threats is a critical step in developing an effective security strategy for an organization There are various methods required to assess IT security threats, including the use of monitoring tools Here are some methods for assessing IT security threats:

Figure 1- 13Assessing IT security threats

Vulnerability Assessment

Vulnerability assessment is a process that helps organizations identify and prioritize vulnerabilities in their systems, applications, and network infrastructure The goal of a vulnerability assessment is to identify potential weaknesses that could be exploited by attackers to gain unauthorized access to an organization's systems or data Here are some steps involved in a typical vulnerability assessment:

Identify assets The first step in a vulnerability assessment is to identify the assets that need to be assessed, such as servers, databases, and network devices

Scan for vulnerabilities Vulnerability scanners are used to scan the identified assets for known vulnerabilities, such as missing patches or misconfigured settings

Analyze results: Once the vulnerability scan is complete, the results are analyzed to determine which vulnerabilities are the most critical and need to be addressed first

Prioritize vulnerabilities The vulnerabilities are prioritized based on their severity and the risk they pose to the organization's systems and data

Remediate vulnerabilities Organizations take steps to remediate the identified vulnerabilities, such as applying software patches, updating configurations, or deploying additional security controls

Verify remediation Once the vulnerabilities are remediated, organizations verify that the remediation was successful and that the vulnerabilities are no longer present

By conducting regular vulnerability assessments, organizations can proactively identify and address potential security weaknesses in their systems and networks, helping to reduce the risk of security incidents and data breaches It's important to note that vulnerability assessments are just one part of an effective security program and should be complemented by other security controls, such as access controls, intrusion detection, and incident response procedures

Figure 1- 14Vulnerability Assessment

Penetration Testing

Penetration testing, also known as pen testing, is a process of evaluating the security of a computer system, network, or application by simulating an attack from a malicious actor The goal of a penetration test is to identify vulnerabilities that could be exploited by an attacker to gain unauthorized access to an organization's systems or data Penetration testing involves several steps, including:

1 Planning: The first step in a penetration test is to define the scope of the test and determine the systems and applications that will be tested The test plan should also include the testing methodology and the tools that will be used

2 Reconnaissance: The next step is to gather information about the target systems and applications This may involve scanning the network, reviewing publicly available information, and identifying potential attack vectors

3 Exploitation: In this phase, the pen tester attempts to exploit the identified vulnerabilities to gain unauthorized access to the target systems or applications This may involve using known exploits or developing new ones

4 Reporting: Once the testing is complete, a report is prepared that details the vulnerabilities that were identified, the severity of each vulnerability, and recommendations for remediation Penetration testing is a valuable tool for organizations to identify potential security weaknesses and improve their overall security posture It can help to identify vulnerabilities that may not be detected by other security controls, such as vulnerability assessments or intrusion detection systems By conducting regular penetration testing, organizations can proactively identify and address security weaknesses before they can be exploited by attackers

Figure 1- 15Penetration Testing

Threat Modeling

Threat modeling is a structured approach to identifying and assessing potential security threats to an organization's systems, applications, and data The goal of threat modeling is to identify potential security weaknesses and to develop strategies for mitigating those risks Threat modeling typically involves the following steps:

Identify assets: The first step in threat modeling is to identify the assets that need to be protected, such as data, systems, and applications

Create a threat model: The next step is to create a threat model that identifies potential threats to the identified assets This may involve brainstorming sessions with subject matter experts, reviewing past incidents and attacks, and analyzing the organization's threat landscape

Assess threats: Once the threats are identified, they are assessed to determine their likelihood and potential impact on the organization This helps to prioritize the threats and to focus resources on the most critical risks

Develop mitigation strategies: Based on the identified threats, the organization develops strategies for mitigating those risks This may involve implementing new security controls, such as access controls or encryption, or improving existing controls

Test and refine: The threat model is tested to ensure that the mitigation strategies are effective and to refine the model as necessary

Threat modeling is an important tool for organizations to proactively identify and address potential security risks By identifying potential threats and developing mitigation strategies, organizations can improve their overall security posture and reduce the risk of security incidents and data breaches Threat modeling is often used in combination with other security controls, such as vulnerability assessments and penetration testing, to provide a comprehensive approach to security

Figure 1- 16Threat Modeling

Security Information and Event Management (SIEM) tools:

Security Information and Event Management (SIEM) tools are software platforms that collect and analyze security-related data from various sources within an organization's IT environment SIEM tools are designed to provide real-time visibility into security events and to identify potential security threats by correlating data from multiple sources

SIEM tools typically perform the following functions:

Data collection: SIEM tools collect data from various sources, such as network devices, servers, applications, and security controls, such as firewalls and intrusion detection systems

Event correlation: SIEM tools correlate the collected data to identify potential security threats This involves analyzing the data in real-time to detect patterns and anomalies that may indicate a security incident

Alerting: When a potential security threat is identified, the SIEM tool generates an alert that is sent to the security team for further investigation

Reporting: SIEM tools provide reports that summarize security events and provide insights into potential security risks

Compliance monitoring: SIEM tools can help organizations comply with regulatory requirements by monitoring and reporting on security-related activities

SIEM tools are an important tool for organizations to improve their overall security posture They provide real-time visibility into security events and help organizations to identify potential security threats before they can be exploited by attackers SIEM tools can also help organizations to comply with regulatory requirements by monitoring and reporting on security-related activities