Your team is focused on preventing future incursions into the network and developing a business
continuity plan to be deployed in case a breach occurs. Read the scenario below.
Project 3 Scenario Transcript
Before the summit, each nation set up its own secure comms network. As summit events began,
your team responded to anomalous network activity that was detected on your agency's server.
Now, to make matters worse, the next day you awaken to the news that summit attendees are
unable to get access to the confidential summit data needed for the conference. All of the
computer screens show a pop-up message that says:
"Your Computer has been involved in Child Porn Activity!!! and has been locked down by the
FBI and the Justice Department. Unless you pay the sum of $500 (FIVE HUNDRED
DOLLARS)—in Bitcoin you will be arrested immediately! You have 48 hours to pay up via
email - fines@fbi.gov."
Your CISO has called an emergency meeting with your team. She begins to speak to the group.
"We've just been hit with the Reveton ransom attack, which pretends to be a warning from a
country's law enforcement agency. It locks you out of your PC and threatens criminal
proceedings within 48 hours based upon very serious offenses. The message informs you that
you can avoid prosecution by paying a fine to the attackers via Bitcoin. Based on the time of the
incident, we believe that a single threat actor or group is responsible. This person or group is still
unidentified."
The CISO continues to brief you on the attack, confirming that no further information is known
about the file, permissions, or tools used. Currently, systems show no signs of infection or
additional malicious indicators.
The attendees at the summit are divided on what should be done. Some of them want to pay the
money—it's a small sum to be holding up the proceedings. However, cyber insiders know that
once you pay a ransom, you set a precedent for further attacks since you appear vulnerable.
In addition, you want to know how the attackers were able to infiltrate the system and plant the
malware. What current protections are in place for systems at the summit? What methods and
procedures are your team employing in response to the current attack? What is the plan if
protections fall short? These are the questions pouring in from leadership, down to your CISO—
and now, to you.
Your CISO continues: "I need your team to provide a series of reports that will track this incident
from start to recovery. Risk management briefings. Forensic reports. Situational reports. I need it
all. They'll all come in handy when it's time to debrief our nation's leaders."
I am responsible for part 4 and 5. I have also included the
info for the underlined in red.
Part 4: Now that the first SITREP is complete, it's time to take a step back and take a look at all
the processes that led to the ransomware attack. How did the malware get here? Is the supply
chain safe? Who was the vendor and how was the vendor vetted?
As a cyber professional, you know that high-profile cyberattacks that cripple the supply chains of
prominent companies show that the point of entry for hackers is often through the weakest link in
the supply chain.
That's why it's important to take a look at your team's software, the supply chain, and the
development processes—all components in a business continuity plan (BCP). Ensuring
appropriate security controls are implemented and integrated in the system development life
cycle and included in the comprehensive BCP is a critical step in finding out what happened,
why it happened, and how you can keep it from happening again.
This BCP will be used to help the CISO identify current systems and timelines that will be used
to bring systems back online and review the sequence of events that occur during BCP
operations.
Begin this step by identifying the specific software assurance needs and expectations of the
organization. The needs and expectations that you identify in this step will be used in the
Software Development Life Cycle Assessment. For a refresher, refer to this information
on software development security.
In this step, you will research and analyze issues in supply chain risk management(SCRM) in
order to make informed decisions in the future regarding the selection of products. Identify the
supply chain risks and challenges for your organization. Next, conduct research to determine
other options that are available for consideration. The vulnerabilities and alternatives that you
identify in this step will be used in the Software Development Life Cycle Assessment, which you
will submit in the next step.
Research and analyze the processes used by your organization's software development life
cycle (SDLC). After you identify the existing processes, research alternatives that could be
considered for optimization of security and efficiency. The processes and alternatives that you
identify in this step will also be used in the Software Development Life Cycle Assessment,
which will be part of the BCP that you will submit in a future step. You will assess the life cycle
of software development in the next step.
Part 5: Your research and analysis during the previous step should have prepared your team to
evaluate and develop a five-page Software Development Life Cycle Assessment in this step.
You will consider the organization's software development life cycle, from sourcing through
implementation. Discuss risks identified in the supply chain and life cycle. Evaluate alternative
processes and products. Conclude with recommendations for improving the security, efficiency,
and cost-effectiveness of the SDLC with a look at avoiding future breaches.
Be sure to do the following:
•
•
•
•
•
Describe basic models and methodologies of the software development life cycle.
Identify a development methodology that fits your organization and explain why.
Describe the phases of the software life cycle.
List and discuss the security principles you would need to consider and explain how you
would apply them throughout the software life cycle.
Describe the elements of a maturity model.
Your designated team member should submit the software development life cycle assessment for
review and feedback. This assessment will be included in your Cyber Operations and Risk
Management Briefing, which you will develop later in the project. You will also use this work to
create a software development matrix, which you will complete in the next step as part of the
BCP.
Software Assurance
Software assurance seeks to reduce or remove vulnerabilities in order to increase confidence that
software can be used securely and effectively. With the rapid technological advances that have
made computers a commodity and specialized software the norm, there is an increasing need to
ensure that software performs as expected and is not violated with malicious code or
unauthorized actions.
Software assurance involves every element that has the potential to touch the software and to be
effective must take a holistic approach to both understanding the environment in which the
software is developed and used as well as the requirements for software performance. Software
assurance objectives must be developed and assessed at all levels, as they determine an
organization’s exposure to risk.
Software Development Security
When organizations develop custom system and software solutions, they must also consider the
need to ensure data and application integrity, security, and availability. Therefore, security
controls must be included within their custom solutions, and their inclusion planned as part of the
system development life cycle (SDLC) methodology used to implement these solutions.
Regardless of the model selected (e.g., waterfall, spiral, rapid application development, agile), all
implemented systems should be traceable, allowing process and resulting conditions to be
verified and outcomes to be validated against the initial system requirements. To that end, there
are security considerations during each phase of the SDLC, from identifying the information
classification and protection levels during the initiation phase to determining strategies for
sanitizing media and preserving information during the disposition phase.
As with other organizational assets, threats to the integrity, security, and availability of software
applications exist. Vulnerabilities may take the form of code weaknesses that allow hackers to
compromise information or an information system (e.g., buffer overflow). Defects may exist as a
result of a design flaw or an implementation weakness (e.g., hard-coded backdoors). Bugs may
exist at the implementation level, resulting in unintended results or performance. In order to
mitigate these risks as much as possible, organizations should not only audit their development
practices and perform multiple types and layers of testing (e.g., unit, system, security,
acceptance) but also define processes and procedures for assessing the security of any acquired
software.
Click on each of the following links for topics related to the Certified Information Systems
Security Personnel (CISSP) Common Body of Knowledge to help you better understand the
subject area.
Supply Chain Risk Management
Supply chain risk management (SCRM) is the process by which risks associated with the
acquisition and provisioning of components (e.g., hardware, software, infrastructure) are
regularly reviewed and addressed. Such efforts are applied in order to minimize the impact of
risks on business operations and the security of the infrastructures and data.
SCRM acknowledges that the origin of system components cannot always be controlled and that
as such, vulnerabilities can occur that threaten the security of the system. Such vulnerabilities in
the supply chain can occur naturally (i.e., as a result of changes in technology or use cases) or
intentionally (i.e., due to the intent to create weaknesses to enable exploitation).
All organizations that are dependent on a supply chain must consider the need for resilience and
build processes that assure continued business operations even in spite of malicious acts.
Software Development Life Cycle
The software development life cycle (SDLC) defines the steps needed to develop and maintain
software through its usefulness. This process is initiated during the software design phase and
focuses on quality development standards that result in timely and cost-effective delivery against
requirements.
Security analysis and testing is an important component of the development cycle and should be
considered through every step of the SDLC, which includes the following phases: analysis,
requirements document, design and prototype, implementation (coding), testing and release, and
maintenance.
While SDLCs historically were focused on satisfying functional requirements through software
development processes, the increase in cyberattacks has resulted in adding the integration of
security into each phase of the SDLC.
Maturity Model
Maturity models are used to standardize development to ensure consistency. In cybersecurity, a
software assurance maturity model assists organizations with the development and
implementation of a software security strategy. This process involves an assessment of the
organization's needs, resources, and risk tolerance as well as benchmarking against comparable
organizations. A maturity model has a set of structured levels to describe the reliability and
sustainability of the outcomes of an organization's practices, behaviors, and processes. Thus,
maturity models facilitate the assessment of an organization's processes and methods, promote
consistency, and provide an independent review.
Capability Maturity Model: An Introduction
In addition to using international standards to evaluate their information technology (IT)
products, organizations also follow international standards to manage and improve their own
performance and capabilities. The Capability Maturity Model (CMM) comprises five levels
through which each organization must progress to achieve optimum performance or capability
when developing secure software (International Quality Management Systems, n.d.):
•
•
•
•
•
Level 1: Initial. Apply workforce practices without analyzing their impact.
Level 2: Managed. Get managers to take responsibility for managing and developing
their employees.
Level 3: Defined. Develop workforce competencies and workgroups and align with
business strategies.
Level 4: Predictable. Empower and integrate workforce competencies. Manage progress
through a defined set of metrics.
Level 5: Optimizing. Continuously monitor and improve performance.
CMM is the benchmark for comparing the software development processes of two or more
organizations.
Working Through Capability Maturity Model Levels
What follows is how a typical medium-sized company might strive to accomplish the CMM
Level 5 certification.
Level 1: Initial
At this level, the organization has not started any formalized methodology. When it decides on a
formalized methodology for developing secure software, such as CMM, it moves to the second
level.
Level 2: Managed
At this level, the organization ramps up the training, working environment, and personnel needed
to begin the secure software development life cycle. For example, the organization might initiate
training on secure coding practices and training for auditors to show them how to document and
evaluate information assets.
Managers then create working environments, in which breakout groups are asked to work on
individual aspects of the formalized methodology. For example, an organization might create an
auditing group, a secure coding group, a project management group, and departmental leadership
groups.
Level 3: Defined
In this level, the organization further defines its methodology by breaking out its personnel into
more focused and specific working groups, developing best practices and creating a culture in
which the staff participates in the program to increase their investment in the outcome.
The secure coding group, for example, could be further divided into secure coding for databases,
secure coding for web servers, and secure coding for network administrators.
The groups then develop best practices for how they will communicate among each other and
share/report information, along with best practices for securely coding customer databases and
web servers at the subgroup level.
Level 4: Predictable
At this level, the organization's processes are stable and established in ensuring secure coding.
Leaders mentor the staff, and the individual working groups—which now have a deep
knowledge of the processes and in-depth frontline experience—are empowered to make their
own decisions, such as deciding whether to use a different coding protocol on a customer
database based on several small issues on the database.
Performance management is also put into place. The organization identifies a benchmark and
establishes metrics to measure progress toward reaching that goal. These metrics are also used to
monitor the progress of all teams in the organization.
Level 5: Optimizing
At this level, the organization finally optimizes its process, adapting it to new challenges and
continuing to monitor and improve it regularly to ensure continued excellence.
Review
Of the following tasks, consider what level of the Capability Maturity Model (CMM) each would
be performed by an organization.
•
•
•
•
Monitor progress through established metrics
Create best practices and workgroups
Formalize a methodology to improve processes
Organize the personnel needed to establish workgroups
Monitor Progress Through Established Metrics
The organization puts performance management policies in place that allow it to monitor
progress at CMM Level 4.
Create Best Practices and Workgroups
At CMM Level 3, the organization further defines its methodology by developing best practices,
breaking out personnel into more focused and specific working groups, and creating a culture in
which the staff participates in the program to increase their investment in the outcome.
Formalize a Methodology to Improve Processes
The organization starts to formalize a methodology to move to Level 2 during CMM Level 1.
Organize the Personnel Needed to Establish Workgroups
At CMM Level 2, the organization ramps up the training, working environment, and personnel
needed to begin the secure software development life cycle.
Purchase answer to see full
attachment