Computer Science
CIS 4891 Miami Dade College Selected Security Controls Worksheet

CIS 4891

Miami Dade College

CIS

Question Description

I’m studying and need help with a Computer Science question to help me learn.

This week, your report should include the following:

  • a high-level architecture diagram of the cybersecurity solution with the selected security controls at the different layers where they operate.
  • a list describing the selected security controls for each identified threat.

Unformatted Attachment Preview

Team #1: Nelly Delessy-Gassant, … Secure OpenEMR Specifications CIS 4891 Spring 2020 Selected Security Controls The following table shows an exhaustive list of applicable threats for each identified asset: Asse t# A1 Asset Scheduling data Threa t# T1 T2 Threat Disclosure: Eavesdropping of the data in transit Disclosure: Social Engineering Response Approach Prevent Encryption Protocol Prevent/Detect User Training T3 Prevent Disclosure: SQL injection attack Prevent Prevent Prevent T4 Prevent Prevent Modification/Deletion : SQL injection attack Prevent Prevent/Recove r Prevent T6 Modification/Deletion : Unintentional error A2 Billing data T7 T8 Disclosure: Eavesdropping of the data in transit Disclosure: Social Engineering 1 Recommended controls Prevent Recover Code Review: Query Parameterizatio n (PHP PDO) Static Code analysis Dynamic Code analysis Web Application Firewall Code Review: Query Parameterizatio n (PHP PDO) Static Code analysis Dynamic Code analysis Data classification policy Web Application Firewall Need-to-know policy Asynchronous Backup Prevent Encryption Protocol Prevent/Detect User Training T9 Prevent Disclosure: SQL injection attack Prevent Prevent Prevent T10 Prevent Prevent Modification/Deletion : SQL injection attack Prevent Prevent Recover T12 Modification/Deletion : Unintentional error A3 Patient records T13 T14 T15 Disclosure: Eavesdropping of the data in transit Modification of the data in transit Disclosure: Social Engineering Prevent Recover Prevent Encryption Protocol Prevent Encryption Protocol Prevent/Detect User Training T16 Prevent Disclosure: SQL injection attack Prevent T17 Modification/Deletion : SQL injection attack 2 Code Review: Query Parameterizatio n (PHP PDO) Static Code analysis Dynamic Code analysis Web Application Firewall Code Review: Query Parameterizatio n (PHP PDO) Static Code analysis Dynamic Code analysis Web Application Firewall Synchronous Backup Need-to-know policy Asynchronous Backup Prevent Code Review: Query Parameterizatio n (PHP PDO) Web Application Firewall Code Review: Query Parameterizatio n (PHP PDO) Recover T19 Modification/Deletion : Unintentional error A4 Linux Virtual machine Prevent Recover T20 Prevent Disruption: DoS, DDoS Prevent Detect T21 Prevent Modification/Deletion : Unintentional error Prevent/Recove r Recover Recover A5 OS, web server and platform configuratio n T23 Modification/Deletion : Ransomware T24 Prevent Recover Prevent Disclosure / Modification / Deletion: Other malware Prevent Prevent Detection T25 A6 OpenEMR script files Disclosure / Modification / Deletion / Unauthorized use: Password cracking Prevent Prevent T26 Prevent Modification: XSS injection attack Prevent Prevent T27 Disclosure / Modification / 3 Prevent Synchronous Backup Need-to-know policy Synchronous Backup Redundancy / Load Balancers/ IPS Web Application Firewall Network monitoring Need-to-know policy Configuration Management Audit Logs Asynchronous Backup User training Asynchronous Backup Staff training Anti-malware software Penetration Testing System Monitoring (HIDS) Strong Password Policy Multi-Factor authentication Code Review: DOM Based XSS Defense Static Code analysis Dynamic Code analysis Multi-Factor authentication Deletion / Unauthorized use: Password cracking T28 A7 OpenEMR configuratio n files T29 T30 A8 OpenEMR authenticate d sessions T31 Modification/Deletion : Ransomware Modification/Deletion : Ransomware Disclosure / Modification / Deletion / Unauthorized use: Password cracking Disclosure / Modification / Deletion / Unauthorized use: Session hijacking / Cross-site request forgery Prevent Prevent Prevent Prevent Prevent Prevent Strong Password Policy User training Multi-Factor authentication User training Multi-Factor authentication Strong Password Policy Prevent Multi-Factor authentication Prevent Code Review: Cryptographic token In addition, in accordance to the HIPAA Security rule, a thorough vulnerability analysis of the application is recommended. Architecture of the Solution Note: The diagram below shows some of the security controls added by the local IT company responsible for the network security of GoodDoctors, Inc. 4 Figure 1. Architecture of Secure OpenEM 5 Weekly Report #2 Group 9 CIS 4891 Spring 2020 Professor Nelly Delessy January 28, 2020 Threat Analysis The following shows an exhaustive list of potential threats # Asset Threat # Threat Impact Likelihood Risk rating 1 Digital Signage T1 Theft/ Vandalism High Medium Medium Player T2 USB port access Medium Medium medium T3 File tampering Very Very High High T4 T5 Unencrypted file Very transfers high Single broadcast Very domain (without High High High High High Very High segmentation) T6 Cleartext local login Very High Very and remote server High High Medium Medium High Out-of-date versions of Very Very OS/BIOS/ other High credentials T7 Non-essential services and applications T8 applications High High T9 Environmental High Low Medium High Very High High Very High Very Incidents / disaster T10 Physical Security: Accidental damage and vandalism 2 Content T11 Themes and plugins Management System High T12 Brute force Very High High High T13 T14 Very High SQL injections and Very Medium Very cross-site scripting High Distributed denial of High High High High services 3 Scheduling Data T15 SQL injection attack High Medium Medium T16 Breach in access High Medium High Low Medium Low Low Low Medium controls T17 Failure Pattern Prediction and Recognition T18 Eavesdropping of the data transit T19 Modification or Medium High Medium High Low Medium High Rare Medium High Medium High High Medium High High Low Medium Very Medium High deletion: Unintentional error 4 Windows Machine T20 Environmental incidents / disaster T21 Modification/Deletion: Unintentional error T22 Running code with system tools T23 Fileless attack (inject code into memory, hijack COM objects, and insert malicious code into firmware) 5 OS, Web Server, T24 and platform configuration Environmental incidents / disaster T25 Ransomware High T26 Other Malware High Medium High T27 Password Cracking Very High High High T28 Non-essential services and applications Medium Medium High T29 Unnecessary open TCP High Very High ports T30 Very High Out-of-date versions of Very OS/BIOS/ other High High Very High applications 6 DisplayMonkey T31 script files T32 Cross-Site Scripting Very attack High Directory Traversal Very High High High High Medium High High High Medium High Medium High High T33 Ransomware Very High 7 DisplayMonkey T34 Directory Traversal configuration files Very High T35 Ransomware Very High 8 DisplayMonkey T36 authenticated Cross-site request Very forgery High sessions Strategies for avoiding security threats Since there are so many invasions of threats in the computer systems, companies have come up with different ways they are trying to prevent, minimize or abolish security threats. The above listed threats have been analyzed and therefore the remedies have been found and methods have been put in place to abolish the security threats. The above threats affect the computer or the computer technology. The strategies for computer threats have been put in position to enhance the operation of technology in major places and offices. The table below shows various strategies that have been put in place to prevent security threats in the computer system. The following strategies would be used to avoid the threats Risk Management Strategy Threats Avoid None Transfer None Accept T6,T14,T23 Mitigate T1-T5, T7-T13, T15-T22, T24-T31 Group#9 will give direction to choose, execute and test suitable security controls to address the dangers in the Mitigate class. Current Security posture Texto wants to take part in the benefits the digital signage trend has to offer in promoting their brand and has requested the IT company to implement their digital signage network. Texto is also aware of recent attacks pertaining to digital signage and security is a priority to successfully execute their operations without worrying over any potential breach. The current security posture of the company relies on the skills of the local IT company, and on the cloud provider. The multi-tenant public cloud company has implemented the following security measures: ● Physical Security ○ Accidental damage ○ Vandalism ○ Environmental Disasters ○ Authentication Methods ● Virtual Data Center Security ○ DDOS Protection ○ General Disaster Recovery ○ Protection Against Intrusion Attacks ○ Logging and Records ○ Data Storage ● Administrative Security ○ Information Assets ○ Employee Policies ○ Data Handling ○ Operating Procedures ○ Privacy Policy ○ Third Parties ● Applications and Communications Security ○ Devices ○ DisplayMonkey API ○ DisplayMonkey Management & Presentation Software ● Awareness and training of the cloud staff The local IT company has implemented the following security measures: ● Workstations: ○ Hardening of the Operating System ○ Protection of the workstations against malware ○ Protection against unauthorized access using Active Directory from the cloud. ○ Password policies from the company are enforced. ● Isolation of the network into VLANs ● Physical security of the routers/switches/APs/local server ● Use of WPA Personal to protect the wireless network. There are various implementation plans for the establishment of a security posture. The organizations have implemented new metrics. Cyber security is a platform that ensures there is proper control and coordination of the networking system. The securities are mostly implemented on networking devices. In this platform, the services are deployed and are left to flood to the target devices via networking media (Luckey, et al., 2019). Reference Rider, E. A., Comeau, M., Truog, R. D., Boyer, K., & Meyer, E. C. (2019). Identifying intangible assets in interprofessional healthcare organizations: feasibility of an asset inventory. Journal of interprofessional care, 33(5), 583-586. Luckey, D., Stebbins, D., Orrie, R., Rebhan, E., Bhatt, S. D., & Beaghley, S. (2019). Assessing Continuous Evaluation Approaches for Insider Threats: How Can the Security Posture of the US Departments and Agencies Be Improved. RAND Corporation Santa Monica United States. IBM Security. (2015). Understanding the risks of content management systems: How open source web platforms can open your organization to attack. IBM X-Force® Research. http://hosteddocs.ittoolbox.com/undertstandingrisksofCMS.pdf Weekly Report #1 Please provide the first draft of your Problem Description document. It should include: the overall description of the client’s business context the list of assets that need to be protected. Assets include hardware (e.g. servers and switches), software (e.g. mission critical applications and support systems) and information (at rest, in motion, in memory). Group 9 CIS 4891 Spring 2020 Professor Nelly Delessy January 28, 2020 Business Context: Established in 2019, Texto is a departmental retail store serving customer services and goods from local markets at the best discounted prices, which has allowed themselves to become a competitive alternative and advantage against well-known giant retailers.Texto is located in Homestead, Florida, wants to better engage with potential customers and entice them into their store by installing digital signage to display the latest discount sales, incoming products, membership offers, advertisements, and much more. Therefore, Texto contracted an IT company to arrange the local connections of the LED screens and install DisplayMonkey, an open source digital signage software on a multi-tenant public cloud, to manage and upload content as they wish. They also hired a cyber security firm to provide a security assessment of the local area network and secure the vulnerabilities of the application. Features of DisplayMonkey include: ● Show sales, financial or other types of KPI’s to display up-to-date information ● Upload and share images/video ● Link your YouTube videos with full control of settings like sound, aspect ratio and video quality ● Designed to take full advantage of the HTML 5 standard ● Enter simple memos which will be displayed in a pre-formatted way ● Organize displays into groups and hierarchies to enable specific content to be shown only in certain location or locations ● WYSIWYG HTML editor to create fully customizable messages like a cafeteria menu or a visitors welcome screen ● Easily manage content to display from and to any specific date and time. Total control how information is displayed on screens such as: Full screen, two or more panels, sizes and placements ● Connect your exchange server and show calendars information like availability outside conference/meeting rooms and offices. ● Date and time formatting, weather, current time and more. All based on the displays geolocation for easy management. ● Built in caching functionality to speed up delivery of content and reduce strain on network resources. ● Designed and built on the latest web and database technologies. Dot.Net 4.x web server and content stored in MS SQL database makes a robust and cutting edge platform ● Built in support CSS templates that will change the look & feel of presentations. Create one or more templates for every type of content. ● Connect to Azure/Power BI portal and show your existing Power BI reports and Tiles in hallways and conference rooms. Asset Inventory: The network diagram below illustrates the network infrastructure of the retail store that the digital signage application will be deployed on. Texto has a hybrid PoS system, that is managed by a PoS cloud provider, to keep track of critical information pertaining to sales, inventory, and performance; generating reports; and reviewing audit logs. A locally hosted back-office server and resilience gateway is available to provide redundancy, in case the internet is unavailable and the PoS systems can upload data to the local server in the meantime. The only workstation in the store is the manager’s office pc which is a Windows 10 machine. Display Monkey is deployed on a Linux virtual machine Scope The multi-tenant public cloud company is responsible for the security of the cloud. Therefore, the following assets won’t be considered in the project: ● Hardware/firmware from the cloud’s global infrastructure ● Networking devices/software from the cloud’s global infrastructure ● Facilities where the cloud’s data centers are located ● Managed services (Databases) ● WAN Devices The local IT company is responsible for the security of Texto’s network. Therefore, the following assets won’t be considered in the project: ● Workstation (Store Management) ● IP phones ● LED Screens ● Mobile PoS Devices ● PoS Cash Registers ● LAN devices/ software The following assets will be considered: Asset Asset Asset description Value Digital Signage Player Media players receiving content from the Medium # A1 CMS, connected on the Texto network. A2 A3 Content Management Upload images, graphics, videos to the LED High System screens for display. Scheduling Data Data from a cloud-based MySQL database Low in transit to/from the cloud and in the VM memory A4 Windows machine Virtual machine hosting the web server, Very high static assets and dynamic assets (PHP). A5 OS, web server and platform configuration Configuration files on the VM. High A6 DisplayMonkey script PHP files on the Windows Virtual machine. High DisplayMonkey PHP files, text files on the Windows Virtual High configuration files machine. DisplayMonkey PHP session IDs in files on the VM, and in authenticated sessions transit to/from the cloud. files A7 A8 Very high ...
Purchase answer to see full attachment
Student has agreed that all tutoring, explanations, and answers provided by the tutor will be used to help in the learning process and in accordance with Studypool's honor code & terms of service.

Final Answer

Am through check it out

Running head: SELECTED SECURITY CONTROLS

Selected Security Controls
Author
Date
Professors Name

1

SELECTED SECURITY CONTROLS

2

The table below shows a list of applicable threats for each identified asset:
# Asset
Threat Threat
Response
Recommended
#
Method
controls
1 Digital
T1
Theft/ Vandalism
Prevention
Proper training of users
Signage
Physical access control
Player
implementation
T2
USB port access
Proper system
Configuration
Prevention/Rec
Management
overy
A policy on data
classification
T3
File tampering
Detection/reco Monitoring of systems
very
backup
T4
Unencrypted file
Encryption algorithms
Prevention
transfers
Procedures
T5

T6

T7
T8

T9

T10

2

Content
Manage
ment
System

T11
T12

Single broadcast
domain (without
segmentation)
Cleartext local login
and remote server
credentials
Non-essential services
and applications
Out-of-date versions
of OS/BIOS/ other
applications
Environmental
Incidents / di...

onesmasd (5196)
University of Maryland

Anonymous
Top quality work from this tutor! I’ll be back!

Anonymous
Heard about Studypool for a while and finally tried it. Glad I did caus this was really helpful.

Anonymous
Thank you! Reasonably priced given the quality

Studypool
4.7
Trustpilot
4.5
Sitejabber
4.4
Similar Questions
Related Tags