Risk Management: Security Assessment Report
Security Analysis Baseline
After developing a new system, various tests are conducted by experts to examine its proficiency and response to various situations that arise in the workplace. Importantly, the security analysis baseline creates an enabling environment where developers can evaluate the significance of different configurations and improvements that should be introduced in the system. From this realization, consistent security assessments will provide an organization with an opportunity to incorporate various aspects that enhance the user experience and safeguard their credentials when using the system. Likewise, a security baseline enables practitioners to conduct assessments that yield favorable results, which define the best approaches that can be used to overcome emerging scenarios in the contemporary community.
Many corporations have a huge enterprise network that relies on various endpoints, which improve the user experience due to the improved service delivery. However, the large size of the enterprise network presents a serious problem that undermines the organization’s ability to safeguard user credentials from third parties. When hackers can freely maneuver through a system, they tend to initiate discreet operations that interfere with the company’s credibility and likely to affect its relationship with stakeholders in the long run (Carver, Burcham, Kocak, Bener, Felderer, Gander, & Williams, 2016). From this perspective, network attacks, whether passive or active, lower an organization’s reputation and interfere with its ability to accomplish desired outcomes. Some of the common network attacks include endpoint attacks, malware attacks, and advanced persistent attacks. Likewise, hackers exploit vulnerabilities in a company’s network before launching attacks that have far-reaching implications on their reputation. Therefore, cyber attacks have a significant impact on an organization’s productivity and may contribute towards regulatory fines, which disrupt normalcy in the work environment.
Fig 1.0 A graphical representation of a network diagram with both configuration and connections.
When developing a network system, corporations deploy various strategies that enhance the overall user experience by safeguarding their credentials. In this regard, security posture of an organization is defined by a company’s resilience and ability to overcome cyber attacks that interfere with their operational performance (Liu, Bailey, Karir, Liu, & Zhang, 2018). Usually, a company’s enterprise consists of different assets that are susceptible to different risk factors. In this regard, company managers tend to use different security approaches to increase the efficiency of their networks by reinforcing their security posture. For instance, aspects such as the measures an organization has put in place against external attackers play an important role in shaping its security posture. Likewise, the company’s ability to stage a strong defense against cyberattacks and readiness to respond to each of the attempts defines its security posture. For this reason, security posture acts as a company’s inventory for its different assets that range from cloud to infrastructure.
Fig 2.0 A graphical representation of the features that define a company’s security posture.
An enterprise security posture defines the status of a company’s software and the ease of external interference. On many occasions, company managers are focused on investing in security approaches that lower the accessibility of third-parties in their networks. Although networks are frequently being hacked, the true test of an organization’s security posture is determined by its ability to thwart any efforts that focus on gaining access into a company’s network (Solow, Darshan, Cain, Epstein, & Zucker, 2019). Besides, security network experts should map the attack surfaces and enable the company leadership to understand the possible loopholes that can be exploited by third parties. However, identifying the paths that can be pursued by hackers provides one with a clear line of thought that demonstrates the intentions of the third party and the resilience of the network to withstand the numerous attacks.
Fig 3.0 A graphical representation of a network infrastructure with configuration, connections, and endpoints.
Code injection, data breach, and malware infection are some of the popular security concerns that compel organizations to develop security approaches, which respond to the real-time problems. On many occasions, hackers exploit vulnerabilities in a security network before injecting a malicious code in a company’s application or web platform with the hope of manipulating organizational outcomes (Niakanlahiji & Jafarian, 2017). Usually, the vulnerability exists in the text fields where users key in their credentials to access different pages in a web or mobile platform. Since hackers focus on fields that incorporate an SQL statement, companies should develop approaches that enable them to safeguard user credentials, server control, and data protection.
Alternatively, data breaches have a significant impact on a company’s operational performance because of the cost implication associated with losing data to hackers. Causes of data breaches range from software misconfiguration to lost hardware, where hackers utilize the existing vulnerabilities before deploying their phishing attacks. While many corporations are always on the look out to warn their employees about malwares, a majority of their executives are unaware of the dangers posed by email spam (Angst, Block, D’arcy, & Kelley, 2017). In this regard, malwares have different origins, which influence the nature of attack that can be launched in an organization. From this realization, incorporating different screening levels enables corporations to overcome the devastating impacts of malware infections on the company’s security network.
Acquiring an accurate IT asset inventory enables organizations to establish their security posture, which enables them to predict potential cyberattacks that can interfere with their credibility. Following a successful IT inventory, company managers, through their security experts, can then proceed to map the attack surface before introducing countermeasures that aim at improving the strength of the network security (Asmussen, Kristensen, Steger-Jensen, & Wæhrens, 2018). At some point, organizations require qualified personnel who can perform different tasks that meet the desired expectations. Initially, viruses were the common form of malware but have decreased over the years because of the introduction of tools such as antiviruses, which enhance detection. Routers, switches, and firewalls are quite vulnerable because of the ease with which hackers use them to gain access into a network.
Data in transit refers to the process where information is constantly being exchanges across a network. In this regard, any external interference affects the quality of communication and lowers the level of comprehension where individuals understand the shared messages. From this realization, data protection plays an important role in securing inactive data from hackers and third-parties (Goddard, 2017). However, organizations can adopt various measures that revolve around remediation, mitigation, countermeasure, and recovery to improve its overall performance in the business environment. After mapping the security risks that threaten a company’s network security, adhering to NIST SP 800 53A guidelines play an important role in creating secure systems that have a minimal interference. It should be noted that the NIST SP 800 53A guidelines specify the security controls that should be used for different networks, a move that reinforces the general security in the modern workplace.
Developing a Network Defense Strategy
Firewalls are critical when developing a network defense strategy because of their ability to detect malware and other forms of cyberattacks. Although firewalls are not enough when developing a network defense strategy, organizations should compliment their roles with other technological tools that reinforce the security levels in their networks. Besides, firewalls are among the oldest measures of computer security and continue to prove their importance with subsequent technological innovations (Liu, Zhang, Zhang, & Shao, 2020). It should be noted that modern technological innovations have introduced sophisticated features, which enhance their detection capacity and ability to mitigate cyberattacks. For this reason, organizations should step up their security with the adoption of other tools that compliment the functionality of the firewall and its ability to overcome issues, which may undermine their performance in the modern corporate world.
IDS fit is an important addition when elevating the security level of different platforms in the corporate world. In this regard, an IDS strengthen a network architecture by identifying vulnerabilities and the accruing risks associated with routers and switches. Even though router access lists can be verified overtime to evaluate their efficiency, it is impossible to retrace the weak links without an IDS (Capdeville, Lemoine, & Mezerette, 2019). From this perspective, an IDS exposes security experts to an enabling environment where they can introduce audit tactics that assist with change management in the security architecture. Likewise, IDS logs can be examined to identify various activities that undermine the efficiency of the network security and its ability to safeguard user information from third parties. In the same vein, IDS logs provide organizations with forensic evidence in case of an attack because of their ability to trace the source and activities of different users at any given time. However, incorporating an inline IDS into a network can help prevent ongoing attacks.
Using Monte Carlo simulations allows one to foresee the probability of different variables when exposed to varied scenarios. In this case, Monte Carlo simulations can be used to analyze the impact of risks and the growing uncertainty that revolve around the concept of forecasting. In cybersecurity, Monte Carlo simulation models are widely recommended because of their ability to map risk paths, a move that enables security experts to plot appropriate measures in response to the emerging security threats (Khan & Jayaweera, 2017). It should be noted that organizations can use various methods to implement processes in their networks to evaluate the effectiveness of the cyber controls against emerging threats. Firstly, establishing security metrics enables security managers to utilize operational statistics that play a critical role in enhancing the nature of outcomes in the contemporary environment. In the same vein, performance measures are plotted against the ability of an organization to withstand various risks in the external environment. Hence, setting compliance goals enables company managers to develop a range of deliverables that guide individuals towards accomplishing the set goals and objectives.
Secondly, conducting vulnerability assessments exposes one to an enabling environment where they can overcome various challenges affecting an organization’s operational performance. In this regard, regular vulnerability assessments expose the security patches and weak configurations that can be exploited by hackers. Thirdly, executing an internal audit provides an organization with a clear image of its security controls and the weaknesses that hinder its effectiveness in the cybersecurity space (Ali & Awad, 2018). Likewise, a gap analysis can also be conducted to establish the shortcomings associated with the company’s security policy and other cybersecurity standards.
Penetration Testing Engagement
Penetration testing is similar to ethical hacking because of its ability to demonstrate the existing loopholes in a security system. On many occasions, organizations are expected to deploy a penetration testing to enhance the security levels and features of their networks (Chu & Lisitsa, 2018). In this regard, different processes are conducted to evaluate the overall status of a security system and its ability to withstand consistent attacks from hackers as shown in the chart below.
Fig 4.0 A graphical representation of the penetration testing stages.
In the first step, organizations develop a plan that will guide them in conducting a reconnaissance that will yield the desired outcomes. In this stage, the test goals are established and information about the best approaches that can be used to achieve the objectives is gathered. Consultation is often made in this stage to enable the organization explore all options that can be used to yield desirable outcomes. In the second step, scanning tools are introduced to enable the security managers comprehend the possible reactions from the security system following a consistent exposure to intrusion (Hatfield, 2019). Scanning tools such as Netsparker, Wireshark, and John the Ripper password cracker are deployed in this stage. In the third step, managers initiate the ethical attacks to the target and observe the response from the system. By using the target and test goals established in the first step, security managers launch simultaneous attacks to establish the errors and develop viable solutions that respond to the emerging challenges. In the fourth and fifth step, security managers maintain access while analyzing the results to establish the best approaches that can be used to overcome the problem. The overall penetration testing engagement may take less than one week, depending on the system’s level of engagement and involves the Information Security and Policy Office (ISPO) and the data custodian.
Letter of Intent
9507 S. Oak Valley Drive
Brooklyn, NY 11228
January 27th, 2021.
Chief Technology Officer
Ambac Financial Group
1 State St, New York,
NY 10004, United States
Physical Penetration Testing Authorization
Following our conversation with you last week, we are writing to seek authorization to conduct a physical penetration test on your network.
As agreed, our company will use the black box testing approach to identify any vulnerabilities in your system and help develop adequate solutions that can be used to respond to the changing needs of both your organization and consumer.
Below, are the Rules of Engagement (ROE) that will be applied in the penetration testing process;
In the event challenges arise during the penetration testing process, our team will brief you on the new developments and work on a new turnaround strategy that will influence the nature of outcomes in the workplace.
Network Penetration Test Outcomes
NIST SP 800-53 stipulates the approaches federal institutions should use to manage their security systems. At any given time, organizations develop appropriate mechanisms that suit their security needs and enhance the overall user experience. In this regard, NIST SP 800-53 was established to dictate how federal agencies would implement strategies that protect citizen data from third parties. From this realization, NIST SP 800-53 is a critical element of Federal Information Security Management Act (FISMA) because of its ability to set industry standards that guide federal agencies during their interactions with citizens and other stakeholders (Bertoglio & Zorzo, 2017). Operating under the U.S. Commerce Department, NIST SP 800-53 promotes innovation and healthy outcomes in the scientific field where industry players are expected to conform to the market standards of operation. From this realization, NIST SP 800-53 enhances the security level of information systems in government institutions. In the same vein, the guidelines enable the government in developing appropriate mechanisms through policy formulation and implementation to control hacker interference that affects the ability of organizations to accomplish their desired objectives in their immediate environment.
After conducting the penetration testing engagement at Ambac Financial Group, we discovered various issues that violated the NIST SP 800-53 control families. Firstly, the company’s access controls were compromised, providing third-parties with unlimited access to customer database. Although Ambac had created an environment that allowed its users to access different services, it lacked a physical access control that would limit individuals from accessing various platforms. By developing a logical access control, it becomes difficult for unauthorized personnel to access the designated technological infrastructure. Both physical and logical access controls respond to different issues that threaten the effectiveness of a security network. For instance, physical access control lowers accessibility in buildings and other tangible IT infrastructure while logical access control reduces exposure to computer networks and system data. From this realization, Ambac Financial had not given authorization to the right personnel who could access company data at any given time, creating a conducive environment for hackers to penetrate their security system.
Without the access control measures in place, it was impossible for Ambac to establish ground rules that would be used to promote audit and accountability in their security system. Notably, many individuals encounter various issues that interfere with different operations in the workplace. In this regard, Ambac should allow external investigators to conduct audit and accountability exercises to evaluate the ability of their system to conform with the stipulated federal guidelines and policies (Rains & Brunner, 2018). It should be noted that NIST SP 800-53 oversees the evaluation of central audit systems to eradicate any potential risks that undermine the existence of different values in the corporate world. By defining the target audience in every security platform, Ambac will create an environment where information resource owners vary from other custodians who rely on the security system. For this reason, IT security personnel at Ambac should allow external investigators to identify auditable events that can be used to overcome security violation issues that undermine the functionality of the security system.
In a compromised security network such as Ambac’s, one may encounter various issues that influence the outcomes of events in the workplace. Firstly, security professionals at Ambac should establish a risk baseline that outlines the different types of threats that can undermine the effectiveness of the entire network. Since every organization has a different culture, it should be noted that adoption of a risk baseline will be influenced by the goals and objectives of Ambac and its vision in the contemporary business environment. Before aligning its operations with the recommended access control protocols, Ambac should assess its workflow and examine the data exchange process to overcome various issues that hinder the corporation from accomplishing its expected outcomes. From this realization, Ambac will be required to capitalize its resources by identifying its risk baseline and aligning its operations with the aim of overcoming the specific threats.
Alternatively, Ambac will be expected to develop a user awareness program that engages its different stakeholders who rely on their platforms for different outcomes. Importantly, creating a healthy relationship with customers plays a significant role that enhances the nature of outcomes in the business environment (Florea & Duica, 2017). Away from the technological infrastructure that facilitates the interactions, embracing progressive approaches in communication is a critical element that will influence Ambac’s success in the business environment. Given that people often click on unapproved links, Ambac should eliminate the possibility of consumers disclosing private information to third parties who benefit from the systemic vulnerabilities. Therefore, engaging stakeholders and informing them about the different approaches that can be used to maneuver the system will build a loyalty program that connects the organization with its target audience in the corporate world.
Risk Management/Cost Benefit Analysis
In the corporate context, analyzing risks is heavily based on the human attribute because of the inability of individuals to conform to the society expectations, unlike technological tools and innovations. In many instances, organizations take risks by hiring unqualified personnel with the hope that they can learn and adapt to the changing work environment where expectations dictate different operations. Likewise, many Americans take the risk of driving every day to work despite the numerous consequences associated with the activity. In this regard, adopting a security system attracts cybersecurity risks that expose organizations to scenarios that taint their reputation in the business environment.
In Ambac’s case, the real future risk involves a possible cyberattack that may expose private consumer data to external third parties. The consequences from this scenario will be defined by the approaches that may be used by the hackers during their interaction with the acquired information. Likewise, the statistical data will be calculated using the amount of loss that will be incurred by Ambac and its loss of credibility from its stakeholders. The projected risk entails the lack of business due to limited market trust following the company’s reputation in the financial world. Lastly, the perceived risk is held closely by individuals who believe in the organization’s inability to deliver customer expectations in the market.
From this case analysis, it is impossible for Ambac to ignore the benefits associated with elevating the security status of its network due to the changing technological landscape. Conducting regular assessments and audit of the efficiency levels in the security system will provide Ambac with an opportunity to overcome challenges that hinder its ability to interact with consumers in the business environment. For this reason, the benefits outweigh the cost of operation in this activity because of the advantages of connecting with the target audience and forming strong bonds with the people.
Ali, B., & Awad, A. I. (2018). Cyber and physical security vulnerability assessment for IoT-based smart homes. sensors, 18(3), 817.
Angst, C. M., Block, E. S., D’arcy, J., & Kelley, K. (2017). When do IT security investments matter? Accounting for the influence of institutional factors in the context of healthcare data breaches. Accounting for the Influence of Institutional Factors in the Context of Healthcare Data Breaches (January 24, 2016). Angst, CM, Block, ES, D’Arcy, J., and Kelley, K, 893-916.
Asmussen, J. N., Kristensen, J., Steger-Jensen, K., & Wæhrens, B. V. (2018). When to integrate strategic and tactical decisions? Introduction of an asset/inventory ratio guiding fit for purpose production planning. International Journal of Physical Distribution & Logistics Management.
Bertoglio, D. D., & Zorzo, A. F. (2017). Overview and open issues on penetration test. Journal of the Brazilian Computer Society, 23(1), 1-16.
Capdeville, H., Lemoine, J. M., & Mezerette, A. (2019, January). Precise Orbit Determination of DORIS satellites by CNES/CLS IDS Analysis Center in the frame of the next ITRF. In EGU General Assembly Conference Abstracts (p. 5785).
Carver, J. C., Burcham, M., Kocak, S. A., Bener, A., Felderer, M., Gander, M., … & Williams, L. (2016, April). Establishing a baseline for measuring advancement in the science of security: an analysis of the 2015 IEEE security & privacy proceedings. In Proceedings of the Symposium and Bootcamp on the Science of Security (pp. 38-51).
Chu, G., & Lisitsa, A. (2018, June). Penetration testing for internet of things and its automation. In 2018 IEEE 20th International Conference on High Performance Computing and Communications; IEEE 16th International Conference on Smart City; IEEE 4th International Conference on Data Science and Systems (HPCC/SmartCity/DSS) (pp. 1479-1484). IEEE.
Florea, N. V., & Duica, A. (2017). Improving communication and relationship with customers using models to measure their value. Valahian Journal Of Economic Studies, 8(1), 47-56.
Goddard, M. (2017). The EU General Data Protection Regulation (GDPR): European regulation that has a global impact. International Journal of Market Research, 59(6), 703-705.
Hatfield, J. M. (2019). Virtuous human hacking: The ethics of social engineering in penetration-testing. Computers & Security, 83, 354-366.
Khan, Z. A., & Jayaweera, D. (2017). Approach for smart meter load profiling in Monte Carlo simulation applications. IET Generation, Transmission & Distribution, 11(7), 1856-1864.
Liu, M., Bailey, M., Karir, M., Liu, Y., & Zhang, J. (2018). U.S. Patent No. 10,038,703. Washington, DC: U.S. Patent and Trademark Office.
Liu, X., Zhang, H., Zhang, Y., & Shao, L. (2020). Optimal Network Defense Strategy Selection Method Based on Evolutionary Network Game. Security and Communication Networks, 2020.
Niakanlahiji, A., & Jafarian, J. H. (2017, October). Webmtd: defeating web code injection attacks using web element attribute mutation. In Proceedings of the 2017 Workshop on Moving Target Defense (pp. 17-26).
Rains, S. A., & Brunner, S. R. (2018). The outcomes of broadcasting self-disclosure using new communication technologies: Responses to disclosure vary across one’s social network. Communication Research, 45(5), 659-687.
Solow, H., Darshan, E., Cain, H., Epstein, S., & Zucker, A. (2019). U.S. Patent No. 10,284,588. Washington, DC: U.S. Patent and Trademark Office.
Quality Research Papers
If you’re looking for an Essay writing service to help turn all of your hard work into a product that readers can appreciate, then look no further than our essay writing website. With a team of writers who go the extra mile, and customer support representative’s around-the-clock eager to assist you, we are ready to ace any exam or provide any posterity with what they need.
Top Assignment Writers
Our essay writers are experienced professionals who have the knowledge to write an essay about any subject matter in an interesting way while maintaining academic integrity. Our professional essay writers work day and night to ensure that you receive quality essays on time without any delay or interruption. Looking to "pay someone to do my assignment"? With many years of experience behind us, our essay writing website is now led by professionals with extensive knowledge in various fields of study.
For any write my essay for me request, you will never need to worry about plagiarism or getting caught up in the stress of completing assignments when you use our professional services! Get started today by ordering your first paper from us and we'll give you 10% off!
24/7 Customer Support
We are available 24/7, 365 days a year to help you out with your academic needs! if you have any "do my paper" questions or technical concerns, simply chat with one of our essay writing customer service representatives via the Chat Window on the bottom right corner of this screen
Prompt Delivery and 100% Money Back Guarantee
These academic experts are distinct from most other essay writing websites because they have doctoral degrees and decades of professional experience in academia. And because they know how overwhelming college life can be, we waive all minimum deadlines so you can focus on studying without worrying about your assignment always hanging over your head.
Our Academic writers are confident and highly capable to take on any challenge ranging from a simple high school essay, question and answer assignment help, PowerPoint Presentation, research paper, dissertation, among others . However, we do not allow customers who abuse the free revisions privilege.
Try it now!
How it works?
Follow these simple steps to get your paper done
Place your "pay for essay" order
Fill in the homework order form and provide all details of your assignment.
Proceed with the payment
Choose the payment system that suits your "do my homework" request
Receive the final file
Once your paper is ready, we will email it to you.
When the world rushes and deadlines increase, it's hard to put your best foot forward. The Homework help website is here to help you with top quality essays on all topics, from history papers and engineering design descriptions to sociology case studies. For any write my essay for me request, you can count on a professional team of essay writers who are well experienced and researched in their field as they develop an original paper for you with 24/7 customer support.
The assignment help website is an excellent solution for all your problems regarding writing an outstanding admission essay. You don't need to worry about anything anymore because we will provide you with high-quality papers written by expert writers who know how to write professionally!
Paper Formats and Types
From time management skills to APA format citations; from MLA formatting rules for research papers; from college application essays where the stakes are high--all these aspects of academic life become clearer as we write it all down on paper! Essay-Writing.com is a professional essay writing service that provides students with well-researched, high quality essays on any topic and at any level of study.
Editing & Proofreading
Some of our clients prefer to write their essays themselves and have a third-party like Essay-writing.com proofread it for errors after they are done writing. We have a skilled team of editors and assignment helpers assignment helpers who examine your paper closely, looking out for any mistakes that may lessen the appeal or effectiveness of the essay as well as make amends in order to better improve its overall quality before you submit it anywhere else! For all your editing needs, turn to Essay-writing.com
You work hard at your academics, and you should be rewarded, with a revision or modification for free on any order from a discursive essay , assignment to dissertation papers.