Background
This week you will continue to identify threats that could occur based on information you’ve gathered from the IT and other teams at UGH.
- The C-level continues to be interested in the security work
- The recent breach has their attention, and they are open to new projects to reinforce any security layers deemed necessary by the CISO (of which, we have some influence)
- A new security awareness program for all teammates is going to be rolled out in the next 3 months
Discussion
(30 pts) We have had several discussions about the importance of training users.
100-word post, and 100 words per reply.
Considering the example from last week of a user who was on vacation and failed to check the location of the two-factor notification before clicking Yes to proceed, develop a short awareness message for all users at UGH. This could address one of the following security topics:
- Choosing a strong password
- Properly using two-factor authentication
- Cybersecurity traveling tips
Include a headline (no more than 10 words) and at least three supporting ideas (bullet point statements)
For example, if I were asked to make users aware of how to avoid phishing emails, I might write:
3 Easy Steps to Avoid Phishing Emails
- Check your heart rate. If the message is making you panic or get you excited, it might be phishing.
- Look for clues in the message. Scammers send from odd accounts, may spell words incorrectly, or send message from organizations you are not connected to.
- When in doubt, type it out. In the end, avoid clicking links and instead open a web browser and type the known address of the site directly. This will ensure you aren’t going to a fake website.
This is just an example. You do not have to have three specific steps. It could just be important points.
(20 pts) Provide feedback to 2 other students’ posts below. Make sure to have their names in the replies.
Zohaib
Week 5 Discussion
Headline: Two-factor authentication: Protect your account, even when you’re on vacation.
Supporting ideas:
- Two-factor authentication adds an extra layer of security to your account by requiring you to enter a code from your phone in addition to your password.
- If you’re on vacation and you receive a two-factor authentication notification, make sure to check the location of the notification before clicking “Yes” to proceed.
- If the notification is coming from a different location than you are currently in, it’s likely a phishing attempt.
- Don’t click on any links in the notification and don’t enter your password.
- Instead, go to the website directly and log in there.
Call to action:
- Enable two-factor authentication on all of your important accounts.
- Be aware of the location of your two-factor authentication notifications, especially when you’re traveling.
- Don’t click on any links in two-factor authentication notifications unless you’re sure they’re legitimate.
By following these simple tips, you can help to protect your accounts from unauthorized access, even when you’re on vacation.
Zaigham
Week 5 Discussion
Dear UGH Users,
Your security is our top priority, and we want to ensure that you have a safe online experience, as well as take part in safe online practices even when you’re away on vacation. Recently, we came across an incident where a user encountered an unexpected two-factor notification while traveling and unintentionally clicked “Yes” without verifying it. To prevent similar situations and enhance your security, we would like to discuss the importance of the following practices:
1. Two-Factor Authentication Awareness:
– Always check the location and context of any authentication notification
– Before verifying the notification, make sure it is expected.
– If you receive an authentication notification while you’re on vacation then verify its legitimacy with the IT Help Desk.
2. Secure Access:
– Exercise caution and use secure networks whenever accessing the UGH Network.
– Avoid public Wi-Fi networks as they might not be secure.
– Use a VPN for an added layer of protection.
3. Password Management:
– Ensure that you have strong password and try not to use the same password as your other personal accounts.
– Follow all password requirements and protocols.
4. Update Contact Information:
– Keep your contact information up-to-date with UGH so that you Amy be contacted in case of a security concern or breach.
Remember, staying vigilant and following the security procedures in place, even when you’re vacation, will aid in protecting the UGH environment as well as your personal accounts.
If you encounter any suspicious activity or have security concerns, then reach out to the IT Help Desk as soon as possible.
Together, we can create a secure online environment for everyone at UGH. Thank you for your attention to these important security tips.
Best regards,
The UGH Security Team
Written Assignment
1 page (300 word) , If you need more than a 300 word count please reach out.
- (100 pts) Continue to add to your Playbook. Based on what you know about the networks and network devices in use at UGH, add at least 2 more threats applicable to the networks in our environment. With each threat, add the same items as you previously stated – risk, the specific MITRE ATT&CK tactic and technique, and our mitigations.
- For each threat, i) Calculate the risk of the threat if no controls are put in place to prevent it. Remember, risk is the potential for loss or damage in the event a threat is successfully exploited. Risk can be calculated as:
risk = probability (or likelihood) x impact (or severity)
- You can use a simple model of low, medium, and high to rate each. Include an explanation why you rated it the way you did.
- ii) Identify the MITRE ATT&CK tactic and technique. NOTE: There may be more than one.
- iii) Describe the mitigations UGH will take to protect the data from the threat technique. Add at least 3 mitigations (tools, processes, and training).
- Add a new section for “Response and Recovery” to cover in the event of an attack
- Add a response and recovery analysis for these 2 attacks
- Phishing attack (for ideas, review Microsoft website)
- Ransomware (For ideas, review Microsoft website)
- Specify the activity, description, and stakeholder for each of the following areas:
- Detection
- Detection of incident
- Initial investigation
- Incident reporting
- Analysis
- Analyze the extent of the incident
- Identify and report potentially compromised data
- Develop a remediation plan
- Remediation
- Containment
- Eradication
- Recovery
- Recover systems
- Restore data
- Restore services
- Feedback
- Lessons learned debrief
- Fine tune detection systems
- Detection
- Use the “Cyber Incident Response Generic Phishing Playbook” document in the Course Content, Week 5 folder for reference.
- Add a response and recovery analysis for these 2 attacks
Cyber Operations Playbook
[Your Name]
SM 6375 Cyber Operations Capstone
Dr.
- Purpose. The purpose of this playbook is to document the known assets at UGH and security protections we are using to protect those assets. In the event of a threat or incident, this playbook will direct steps to take to stop any further damage and recover, as much as possible, from the incident.
- [Identify] UGH Environment. At a high level, our environment includes the following:
- Hardware
- Servers. There are approximately 16 Windows Server 2019 servers, 12 Windows Server 2016 servers, and 3 Windows Server 2012 servers located in Houston, TX.
- Workstations. …
- ..
- Network
- Network Configuration.
- Network Devices.
- …
- Applications
- The following enterprise applications are available for all users. These may be installed locally on workstations or accessed through their cloud versions, if available.
- Microsoft Office Suite
- Adobe Acrobat
- …
- The following cloud applications are available for use by all employees.
- Workday
- Concur
- …
- ..
- The following enterprise applications are available for all users. These may be installed locally on workstations or accessed through their cloud versions, if available.
- Stakeholders
- Hardware
| Name | Title |
- [Protect and Detect] Threats
- Data Threats
- Insider Threats
- Insider (current employee) may copy corporate data, such as from Workday or an internal storage drive, to their workstation, and then to a USB drive.
- The likelihood of this attack is medium and the impact is high. The overall risk is medium-high.
- Tactic: Collection (TA0009); Techniques: Data from Information Repositories (TA1213), Tactic: Exfiltration (TA0010); Techniques: Exfiltration over USB (T1052.001)
- Mitigations
- Policies
- UGH will has an HR policy to conduct background checks, where legally permissible, on all employees hired. Any employee hired in the past without a background check must have one conducted.
- UGH will has a policy to not transfer data to a USB drive unless there is a documented and approved exception.
- Tools
- UGH will enable the DLP solution as part of the Microsoft 365 suite to monitor for transfers of sensitive data.
- Policies
- Insider (current employee) may copy corporate data, such as from Workday or an internal storage drive, to their workstation, and then to a USB drive.
- Attacks on the Help Desk
- Attacker may pose as a user and call the Help Desk to get a temporary password to access an account.
- The likelihood…
- Tactic:…
- Mitigations
- Training
- …
- Tools
- …
- Training
- Attacker may pose as a user and call the Help Desk to get a temporary password to access an account.
- …
- Insider Threats
- Hardware Threats
- Attack on the Firewall
- …
- …
- …
- …
- …
- …
- …
- …
- …
- …
- Attack on the Servers
- …
- …
- …
- …
- …
- …
- …
- …
- …
- …
- Attack on the Firewall
- Network Threats
- …
- …
- …
- …
- …
- …
- …
- Data Threats
- Response and Recovery
- Phishing
- Detection
- Phishing
| Activity | Description | Stakeholder |
- Analysis
| Activity | Description | Stakeholder |
- …
- Ransomware
