Security Strategy Implementation Recommendations for Sifers-Grayson
Project #2: Security Strategy Implementation Recommendations for Sifers-Grayson
Now that the After Action Reports have been analyzed, the consultants must develop a plan for improving the security posture at Sifers-Grayson. This will be documented in a Security Strategy Recommendations document. The security strategy will be based upon multiple layers of policies, processes, and technologies that, when implemented, will be used to defend the Information Technology enterprise from both internal and external threats and attacks.
Note: see https://www.techrepublic.com/blog/it-security/understanding-layered-security-and-defense-in-depth/ for a discussion of the differences between these two security strategies: layered security and defense-in-depth. You will need this information for the Security Strategies section of your paper.
Two defensive security strategies have been chosen by the senior members of the team.
- Defense Strategy #1: Build a DMZ for the R&D Center. The DMZ will host servers accessed by the engineers while teleworking and while reaching back to the R&D center from the test range. The DMZ will require the following: (a) business class routers, (b) business class firewalls, and (c) intrusion detection and prevention system.
Demilitarized Zone (DMZ). For definitions and diagrams see https://www.us-cert.gov/ics/Control_System_Security_DMZ-Definition.html and https://fedvte.usalearning.gov/courses/Security+_v401/course/videos/pdf/Security+_v401_D02_S04_T04_STEP.pdf
- Defense Strategy #2:Implement Enterprise-wide Protective and Detective Measures to defend against both internal and external attackers. These measures will include (a) controlling access to software documentation and source code, (b) implementing enterprise-wide identity management, and (c) implementing either a Security Information and Event Management (SIEM) tool or a Unified Threat Management (UTM) tool.
You have been assigned to research products which will be used to implement the two Defense Strategies. You will need to research suitable products and then write a report recommending a set of products and services which can be used to implement the selected strategies. Your report will include summary information and explanations about defense in depth and the two selected strategies.
Note: You may need to do additional reading and research to find the information required to support your explanations of defense in depth and the selected defense strategies. Make sure that you cite authoritative sources for this information.
- Products to Implement Defense Strategy #1 (Build a DMZ for the R&D Center). You must choose one product for each of the following categories (router, firewall, intrusion detection and prevention).
- Business Class Router with WAP and VPN capability (choose one of the following brands)
- Other (must get instructor’s approval first)
- Business Class Firewall (Network Based) (choose one of the following brands)
- Other (must get instructor’s approval first)
- Intrusion Detection and Prevention System (network based – not cloud)
- Trend Micro
- Other (must get instructor’s approval first)
- Products to Implement Defense Strategy #2 (Implement enterprise-wide protection, detection, and prevention capabilities). These tools or applications will be installed or used on Sifers-Grayson servers (cloud hosting NOT allowed). Select one tool in each of the categories listed below. Your product recommendations must include all of the listed categories.
- Application Lifecycle Management (ALM) Tool
- Identity & Access Management (IAM) Tool
- Security Information and Event Management (SIEM) OR Unified Threat Management (UTM)
- Forensic Image Capture Utility (e.g. FTK Imager, Belkasoft, Paladin/Sumuri, SIFT)
Note: Make sure that you are using appropriate resources to find information to support your analysis and product recommendations. Vendor websites, industry or trade publication websites, and government websites are usually acceptable sources of information about the defensive strategies and products you will write about in this assignment.
- An Introductionsection which presents the security strategies being recommended in your report. You should explain what how these strategies will improve the overall security posture of Sifers-Grayson.
- A Security Strategiessection in which you present an analysis of the defensive security strategies and then provide an explanation as to how each of the two selected defensive strategies will improve the security posture for Sifers-Grayson. Include a comparison of the two primary types of strategies – layered security and defense in depth. Then, explain how the selected security strategies use one or both of these approaches. Use information from Project #1 and the Red Team’s penetration tests to support your justification for implementing the selected security strategies.
- A Product Evaluations section in which you present and discuss the technologies and products which will be used to implement each strategy. You must have a separate sub-section for each defense in depth strategy. Under each sub-section, you will name and describe the individual products (i.e. describe firewalls and then describe your chosen firewall product). Your presentation of each product should be in the form of a recommendation to purchase / implement.
- A Summary Implementation Recommendations section in which you summarize your product recommendations for products and technologies to be used in implementation the two defensive security strategies. Be sure to explain the benefits of implementing the two strategies (e.g. protection, detection, prevention of incidents caused by attacks).
Submit for Grading
Submit your paper in MS Word format (.docx or .doc file) using the Project #2 assignment in your assignment folder. (Attach the file.)
- You should NOT use any student written papers as sources for your research for this paper. Doing so may violate the university’s Academic Integrity policy and result in an Academic Dishonesty Allegation and referral to the Office of Academic Integrity and Accountability for investigation and adjudication.
- You will need between 5-8 pages to cover all of the required content. There is no penalty for writing more than 8 pages but, clarity and conciseness are valued. If your paper is shorter than 5 pages, you may not have sufficient content to meet the assignment requirements (see the rubric).
- As you write your strategy paper, make sure that you address security issues using standard cybersecurity terminology (e.g. protection, detection, prevention, “governance,” confidentiality, integrity, availability, nonrepudiation, assurance, etc.). See the ISACA glossary https://www.isaca.org/pages/glossary.aspxif you need a refresher on acceptable terms and definitions.
- You must include a cover page with the assignment title, your name, and the due date. Your reference list must be on a separate page at the end of your file.
- You are expected to write grammatically correct English in every assignment that you submit for grading. Do not turn in any work without (a) using spell check, (b) using grammar check, (c) verifying that your punctuation is correct and (d) reviewing your work for correct word usage and correctly structured sentences and paragraphs.
- You are expected to credit your sources using in-text citations and reference list entries. Both your citations and your reference list entries must follow a consistent citation style (APA, MLA, etc.).
- Consult the grading rubric for specific content and formatting requirements for this assignment.
Sifers-Grayson is a family owned business headquartered in Grayson County, Kentucky, USA. The company’s physical address is 1555 Pine Knob Trail, Pine Knob, KY 42721. The president of the company is Ira John Sifers, III. He is the great-grandson of one of the company’s founders and is also the head of the engineering department. The chief operating officer is Michael Coles, Jr. who is Ira John’s great nephew. Mary Beth Sifers is the chief financial officer and also serves as the head of personnel for the company.
Recent contracts with the Departments of Defense and Homeland Security have imposed additional security requirements upon the company and its R&D DevOps and SCADA labs operations. The company is now required to comply with NIST Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. The company must also comply with provisions of the Defense Federal Acquisition Regulations (DFARS) including section 252-204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting. These requirements are designed to ensure that sensitive technical information, provided by the federal government and stored on computer systems in the Sifers-Grayson R&D DevOps and SCADA labs, is protected from unauthorized disclosure. This information includes software designs and source code. The contract requirements also mandate that Sifers-Grayson report cyber incidents to the federal government in a timely manner.
The company has agreed to allow an external Red Team to conduct penetration testing of its operations to help ensure that it is able to meet the government’s requirements for cybersecurity and the protection of government owned sensitive but unclassified information. The company has also assigned personnel to conduct After Action Reviews of the penetration testing.
The Engineering Department is housed in the company’s R&D center with a satellite facility at the test range. The desktop and laptop computers are a mixed bag of hardware (multiple manufacturers) running Windows 8.1, Windows 10, and variants of Apple’s OSX and iOS. The support for these computers and the internal networks is provided by the junior engineers assigned to one or more of the department’s development teams. The Engineering Department’s philosophy is that all of the company’s engineers should be trained and capable of providing support for any and all hardware, software, and networks used by the department. This training is provided through on-the-job experiences and mentoring by more senior engineers. When a problem arises, the department head or one of the lab supervisors assigns an engineer to find and fix the problem.
Engineering Department: SCADA Lab
The SCADA lab was originally setup in 1974. It has been upgraded and rehabbed several times since then. The most recent hardware and software upgrades were completed three years ago after the lab was hit with a ransomware attack that exploited several Windows XP vulnerabilities. At that time, the engineering and design workstations were upgraded to Windows 8.1 professional. A second successful ransomware attack occurred three months ago. The company paid the ransom in both cases because the lab did not have file backups that it could use to recover the damaged files (in the first case) and did not have system backups that it could use to rebuild the system hard drives (in the second case).
The SCADA Lab is locked into using Windows 8.1. The planned transition to Windows 10 is on indefinite hold due to technical problems encountered during previous attempts to modify required software applications to work under the new version of the operating system. This means that an incident response and recovery capability for the lab must support the Windows 8.1 operating system and its utilities.
Engineering Department: R&D DevOps Lab
The R&D DevOps Lab was built in 2010 and is used to develop, integrate, test, support, and maintain software and firmware (software embedded in chips) for the company’s robots, drones, and non-SCADA industrial control systems product lines. The workstations in this lab are running Windows 10 and are configured to receive security updates per Microsoft’s monthly schedule.
Data Center & Enterprise IT Operations
The company uses a combination of Windows 10 workstations and laptops as the foundation of its enterprise IT capabilities. The servers in the data center and the engineering R&D center are built upon Windows Server 2012. A firewall was installed to protect the Data Center from network attacks but, as you can see in Figure 2, the placement of the firewall on the corporate network provides no protection for the Data Center. An external attacker could use the network path through the R&D center’s networks to reach the Data Center.
Contractual & Regulatory Requirements
- Newly won government contracts now require compliance with DFARS §252.204-7008, 7009, and 7012
- Derivative requirements include:
- Implementation of and compliance with NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf
- Compliance with DFARS 252.239-7009 Representation of Use of Cloud Computing and 7010 Cloud Computing Services (see https://www.acq.osd.mil/dpap/dars/dfars/html/current/252239.htm#252.239-7009
- Additional Contractual Requirements for Lab Operations include:
- Incident Response per NIST SP-800-61 (Computer Security Incident Handling Guide)
- SCADA Security per NIST SP 800-82 (Guide to Industrial Control Systems Security)
- Software / Systems Development Lifecycle (SDLC) Security per NIST SP 800-64 (Security Considerations in the System Development Life Cycle)
- Configuration Management per NIST SP 800-128 (Guide for Security-Focused Configuration Management of Information Systems)
Red Team Penetration Testing
Sifers-Grayson hired a cybersecurity consulting firm to help it meet the security requirements of a contract with a federal agency. The consulting firm’s Red Team conducted a penetration test and was able to gain access to the engineering center’s R&D servers by hacking into the enterprise network through an unprotected network connection (see figure 2). The Red Team proceeded to exfiltrate files from those servers and managed to steal 100% of the design documents and source code for the AX10 Drone System. The Red Team also reported that it had stolen passwords for 20% of the employee logins using keylogging software installed on USB keys that were left on the lunch table in the headquarters building employee lounge (see Figure 3). The Red Team also noted that the Sifers-Grayson employees were quite friendly and talkative as they opened the RFID controlled doors for the “new folks” on the engineering staff (who were actually Red Teamers).
The Red Team continued its efforts to penetrate the enterprise and used a stolen login to install malware over the network onto a workstation connected to a PROM burner in the R&D DevOps lab (See Figure 3). This malware made its way onto a PROM that was then installed in an AX10-a test vehicle undergoing flight trials at the Sifers-Grayson test range (See Figures 1 and 4). The malware “phoned home” to the Red Team over a cellular connection to the R&D center. The Red Team took control of the test vehicle and flew it from the test range to a safe landing in the parking lot at Sifers-Grayson headquarters.
The Red Team used three stolen logins to send Phishing Emails to employees. These phishing emails appeared to come from coworkers (employees of the company) and contained a link to one of three videos. Each video was linked to a server that tracked the email address and IP address of the computer used to access the video. The Red Team reported that over 80% of the recipients clicked on the video link for cute kittens or cute cats. Twenty percent (20%) of the recipients clicked on the video link for a business news story. A video link to a sports event wrap-up for the Kentucky Volunteers basketball team had over 95% click-through rate. All three videos displayed a “Page Not Found (404 Error)” message from the target server. The Red Team did not put a tracking beacon in the emails to track forwarding of the phishing emails. But, the team reported that the target server collected email addresses and IP addresses for over 1500 external recipients within 24 hours of the original mailing; at that point, the target server was shutdown.
After completing their penetration tests, the Red Team provided Sifers-Grayson executives with a diagram showing their analysis of the threat environment and potential weaknesses in the company’s security posture for the R&D DevOps Lab (see figure 5).
Incident Response During the Penetration Test
Sifers-Grayson has limited Incident Handling and Response capabilities in place. The company’s Chief Operating Officer has a small IT team (team lead and two support specialists) that focuses primarily on the IT needs of headquarters personnel. Their duties include staffing the help desk phone line and handling any incidents that affect availability of company owned IT equipment and networks. The single firewall for the company falls under this team’s management and control. It was not capable of detecting the Red Team’s intrusions and was not configured to provide alerts for any failures or faults.
Computer and network operations for the SCADA Lab and R&D DevOps Labs have traditionally been the responsibility of the Engineering department. Engineering sees itself as separate from the rest of the company and takes care of its own IT needs. There is no formal incident response capability. Instead, the lab manager for each lab tasks engineering staff to manage the workstations. If network maintenance or upgrades are required, the Engineering Department hires contractors to perform the work. Responsibility for providing oversight for these contractors is rotated between the junior engineers.
The Data Center manager has a staff of two systems administrators who are also responsible for identifying and responding to incidents which impact server availability. The Data Center does not have any automated detection systems in place to provide alerts for intrusions. It does, however, have heat alarms, smoke detectors, and water detectors which sound audible alerts through klaxon horns. Neither of the system administrators detected any anomalies in server or local area network operations during the penetration test.
There was no effective incident response during the penetration test. In large part, this was due to the lack of a centralized team with responsibility for enterprise monitoring and response for network incidents and computer security incidents. Incident response also fell short because there were no automated detection capabilities. Finally, the company’s ability to perform forensics investigations after the penetration testing was limited due to a lack of knowledge (no trained personnel), lack of forensic analysis tools, and a limited number of log files on the servers and firewall.