COMP1608 Managing IT Security and Risk coursework

Assignment Brief

The scenario

• Following quite a few IT security incidents resulting in data loss, GDPR breaches and penalties the decision was made by MegaCorp to invest more in improving their IT security posture. Their first task was to hire you to help them improve the way they do things. In terms of IT infrastructure, their IT estate includes approximately 50 servers Centos 6.x and 50 servers Windows 2012 standard, around 900 laptops Windows 7 and 600 laptops MacOS Mojave, 600 desktops Windows 10 2H22 and MacOS Mojave and a number of core infrastructure devices including Cisco 7200 series routers, rv340 VPN devices and 6800 & SX550X-52 series switches, Fortigate firewalls FortiGate-5001A-SW-G and FortiGate-620B-G load balancers. Virtualisation is used with cloud solutions based on Azure and AWS. 
• The company also uses VoIP and Cisco phones are used and the network is converged.
• The corporate network is mostly flat and the use of a shared network drive for all staff is in place. This is used as a common share to store various client data, potentially confidential (the company has no data classification system in place).
• There are also separate network drives that are used for temporary files (application temp storage) by all staff and some contractors when onsite.
• Employees work often onsite on client projects. Some of their devices are encrypted but there is no policy based encryption control. Employees are allowed to install software on an as needed basis and they do have local admin rights. The use of USB drives is company wide and staff carry files they need to install and data with them. This is a measure that helps the organisation to reduce IT support involvement and workload.
• Email is used widely. There have been instances that email is used to transfer various files as needed including quotes and client information. There is not policy against that although there were incidents of data exfiltration. The network administrator has started an investigation on this matter but this was put on hold as well as other key tasks as he is currently on sick leave and nobody else has access to his system.
• The joiner’s onboarding process is not standardised as different teams follow their own plan. Joiners learn on the job sometimes shadowing, sometimes through trial and error.
• Yearly training is not provided but members of staff are advised to find someone to shadow or to use an online resource such as YouTube to obtain the required software and related skills.
• Hierarchy and job title not aways map to access rights as some staff have multiple roles not always matching their job role. Limiting their access to data will add to the workload of the IT support.
• Management of the devices has become an issue as it is manual and takes too much time as the there is no MDM in place.
• Vulnerability management is not implemented currently.
• Security monitoring is not implemented yet because the systems are not configured for monitoring and there is no SOC support in place.
• System patching is performed manually by users – users will receive an email and they will be asked to apply an update - there is not centralised solution in place.
• Logging is very basic if not existent and account segregation is not enforced.
• There is a team of developers that develop code for the organisation but they do not follow a standardised approach.
• Testing and evaluation of new code sometimes takes place on production systems.
• The test, development and production environments are not segregated appropriately and there have been instances that the test data made it to the production environment.
• Logging is not implemented and there were instances that incident response was needed but there was no logging at all available.
• Backups are not performed due to lack of HD space. The organisation plans to invest on a backup solution sometime in the future
• Databases do not have roll back functions enabled and there is no logging enabled due to HD space.
• Account sharing is used to reduce IT workload.
• The IT estate infrastructure is not monitored and a SIEM is not in place. IBM’s QRadar Security is in place for the Web and database server with a retention of 30 days.
• Physical security lacks and on a number of occasions unauthorised employees and guests accessed restricted areas.
• There is a test environment, a development environment and a production environment. Remote working is allowed and users often work remotely. A Web based interface is used that can be accessed across the world instead of a VPN. There is also network core equipment that has been incorporated within MegaCorp’s network following a recent merger with Initech. This was added and extended MegaCorp’s network. Also some Initech admin staff accounts were moved to MegaCorp’s domain to allow maintenance of the newly acquired hardware. Some of the devices can be seen next but this is not to be considered a complete list (a complete list is not available – the merger happened too fast) - additional equipment might be connected and not listed.

Task 1

Based on the key information provided, identify and critically discuss two key recommendations for improving the security posture on this company. You might find there are a lot more opportunities for improvement of the overall security posture of this company, however you should select the two that you consider will make the greatest impact. You might want to consider in terms of Change control, Compliance, Cost, Continuity, and Coverage mission Critical Assets (e.g. Data Security, Endpoint Security, Application Security, Network Security, Perimeter Security and the Human Layer).

Task 2

Following from Task 1, create a realistic* plan, with five recommendations for improving the security posture on this company. This can be a list with recommendations in the order that will make it easier to implement and tasks for each of these. E.g. Recommendation 1. To improve WiFi coverage. Responsible team: IT Networks. Tasks: Buy drones, fit routers on the drones, have drones flying over the premises to provide good WiFi coverage.

Provide a brief explanation for each of your recommendations and make sure that you include:

• Why each of these have been selected,
• Why you have placed these in this order and
• Which is the team** that the task(s) relating to your recommendations for improvement should be allocated to.

Any assumptions made must be stated.

The plan must be realistic in terms of delivery (hint: sometimes things have to happen in a certain order, over certain timeframe, cannot happen all at once).

**You have not been told what teams the organisation have - You can make assumptions about the teams they have (e.g. IT security team, Management team, Software development team), based on the scenario information provided and common industry practices.

Task 3

Conduct your own research and identify ten security threats that are on the rise in 2024 that are relevant to this organisation based on what it was covered in class about common threats. Perform basic risk analysis (how each of these risks might affect the business operations?) and order based on their criticality. Do not just list! Each of these threats must be briefly explained in plain English (in general what is it, how does it usually work, what can be affected within a business unit or system etc.).

• A brief scenario (non generic) must be provided for each of these threats that is specific to this organisation.
• A brief countermeasure recommendation must be provided for each of the scenarios provided in a) - please note this must be specific to the organisation and targeted rather than a “blanket” solution (e.g. “install better firewall” or “improve the security policy” are not acceptable answers).
• What is the risk rating that you would assign and why (refer to what we discussed in class about risk)

Task 4

The company recently set as their immediate target to become PCI DSS compliant. Review the latest PCI DSS standard requirements (available to download from https://www.pcisecuritystandards.org/document_library/). Based on the key information provided about this organisation, critically discuss applicable five changes that they would have the highest impact in aligning with the PCI DSS standard.

Hint: Often before any changes towards a compliance goal can be achieved, foundational changes might be required to allow for these changes (e.g. the creation of teams, change of processes, departments or a new or additional IT infrastructure). Please make sure you mention any such foundational changes.

Task 5

Reporting

You are required to present a report with the following structure:

• Summary
• Task 1
• Task 2
• Task 3
• Task 4
• Conclusion
• References

Present your coursework as a report of no-more than 3,000 words.

This should be typed and you may use graphics and tables. We expect that you will demonstrate a systematic understanding of the discussed and analysed information security concepts.

We expect that you will use an extensive range of current and appropriate literature to support your arguments and different perspectives into the discussed and analysed information security concepts. References should be in the Harvard referencing system.

Marks are awarded for clear, coherent writing, proofread work and written English that is of an extremely high standard and observes all academic conventions in style and content. We expect to see an appropriate command of the rules of report layout, spelling, punctuation, grammar, syntax with due regard to the use if figures, diagrams and references.