Assessment Tool Comparative Analysis I SAW NO MATERIAL FOR THIS ITEM Similarities I SAW NO MATERIAL FOR THIS ITEM Differences I SAW NO MATERIAL FOR THIS ITEM THESE THREE ITEMS ARE INCLUDED IN THE PROFESSOR’S OUTLINE You did this in the paragraphs above. You selected two tools (MBSA and OpenVAS) and compared them. Did a good job on the differences, but kind of weak on similarities. Might want to add a few words about why these two over the list you provided. Best argument was they are free. Issue is, it takes competent users to run them. One thing I don't see in the paper is asset management. This is the biggest problem for any large enterprise. If you don't know what is on the network, you cannot determine what state the network is in and therefore any risk study is incomplete. A good asset management tool can help track assets and maintain security as it helps document and maintain latest patches, updates, old and new equipment, and general knowledge of what is on the network. As you listed several OSs and only recommended MBSA, how will residual risk be addressed for devices that are not Windows based. Most of your network devices routers, switches, firewalls, etc. are not Windows based. So what recommendation will you offer to keep these out of the high risk category. More and more of these devices are being dumbed down (made easier to manage - no special training required) and therefore are becoming easier targets for hackers. Look up abuse of Cisco's SMI, or read the USCERT TAR on routers. You cannot ignore the network infrastructure anymore. Might want to go back and look at Nessus. It can look from the outside your network to see what if anything your network is leaking to the outside world. You mentioned things like IDS and IPS without going into detail. FYI IDS is out and should not be installed in any new or upgraded networks. These are relics of the past and only alert you to things that have already happened where IPS is real time protection if properly configured. Recommend: Something else I did not see was a "so what" in the recommendation. I thought I saw the guidance in the outline and even if not in the outline - how do you convince management they are mitigating risk and protecting their money without it. Examples of why weak passwords cost a company so much money/loss of reputation. Remember you are selling them on risk management and you don't already have them in your pocket. If you did you would not need to write this paper. Tell how I am there to help them. Presentation, few notes on the instructions. 1. How do you present your technical findings succinctly to a nontechnical audience? Your Workspace exercise report will span many pages, but you will probably not have more than 30 minutes for your presentation and follow-up discussion. First with 30 Min consider 3-5 minutes a slide and intro and contact info do not count so at most 6-7 slides and might want to leave 5 min for questions. So more like 5-6 slides. Shoot to explain the low hanging fruit, things that are easy to understand, like spearphishing, social engineering, weak passwords, system vulnerabilities, network vice application weaknesses. Talk about most bang for their security dollar. – Recommendation. (Track Asset and Train Users to new two and please add 2 more) 1. How do you describe the most serious risks factually but without sounding too temperamental? No one likes to hear that their entire network has been hacked, data has been stolen, and the attackers have won. You will need to describe the seriousness of your findings while also assuring upper-level management that these are not uncommon occurrences today. If you can put things in terms of company reputation and loss of either earnings or earning potential then you will hit the mark. A brief description of what is worst, what's the remedy and what is bottom line - what happens if not addressed - back to the company reputation or earnings == Should be the last slide (part of recommendation) 1. How do your Workspace exercise results affect business operations? Make sure you are presenting these very technical results in business terms that upper-level management will understand. Seems to be a repeat of the first requirement. The military has a saying KISS - keep it simple stupid. 1. Be very clear on what you propose or recommend. Upper-level management will want to not only understand what you discovered; they will want to know what you propose as a solution. They will want to know what decisions they need to make based on your findings. This is where the most bang for buck comes in. Remove low hanging fruit (spearphishing, social engineering, weak passwords, system vulnerabilities, network vice application weaknesses) and you 90% of your problems go away. No intro slide - Need to tell folks who you are and why they are there. TITLE - Company X SAR conducted DATE, by Name, BS Certificates XXXX Current slide #1 - TOO WORDY!!! Don't start off with definitions. Folks will be reading while you are talking. Put the definitions in your own words and then put the high points on the paper - Use speaker's notes to convey your thoughts if you have to, but don't put your thoughts on the slide. Slide could contain a question What is a SAR? - highlight the points of interest to you. Why are you doing one = to find weaknesses in your network that a criminal, disgruntled employee, or hacker could use to cause your company harm either through reputation, loss of production/productivity, or monetary loss. (Save $$$) another question could be what are weaknesses? Then put on words that you explain - vulnerabilities occur in software you buy/develop, hardware you purchase, people don't think or are not trained to worry about security. A third question could touch on why a SAR and not a Risk assessment - What it the bottom line on why they should listen to you for another 20 minutes? Remember this is your first slide and you need to capture the audience for the rest of the presentation. If folks are reading definitions, they are not listening to you!! You may also put a preview of you recommendation here in a word or two - recommend vulnerability scanning tool/s that will identify the most egregious weaknesses and help provide your IT/security staff the best way to fix them. This will do what for them??? This will be the most important slide of the presentation so spend some time on it. Slide #2 - Suggest removing duplication - start with all systems have … weak passwords, poor patch management, whatever else is common among all the systems poor data management – should be included in the Common Problems List (spearphishing, social engineering, weak passwords, system vulnerabilities, network vice application weaknesses) . What are you trying to convey on this slide - general problems with OSs or specific problems with companyXXX? If the latter I would provide some #s == your company has 200 machines with Windows OSs of varying versions 8-10 and 50 machines with Linux OS of different versions (redhat, Open BSD, Android, etc.) Then id the common problems found and then specific to each OS and then point out the worst issues == Bold or different color, maybe a banner. State the easy things to get rid of. Slides #3-4 You are back to reading material = Why are you going to waist 10-12 precious minutes on definitions??? Are these needed or should you have one slide with business risk vice security risk. Need to relate what you see as risk in their terms not push your definitions on them. Why should your audience care about the risk and how to manage it?? If you feel strongly that you need these at least use you own words and why they should care. Remember if they are reading the page they are not hearing you. Bottom line Cost, Profit, and reputation – cost and why for getting rid of weak passwords and other hanging bad fruits. Slide #5 Not sure what you are telling CEO = Bad things are out there. Find companies that have suffered issues that relate to his company = RANSOMEWARE, Exposure of client data, == You do some of it in bullet 3. Ask yourself if the CEO needs to know what an attack or threat is or just know about the results of one?? Not sure why bullet 4?? Not threat or attack. I would take IDS out of your vocabulary early 2000's technology and not very useful in today's environment. Slide #6 - These are two tools you compared and not methods but are tools. The method is built into the tools. I would go back to you paper and list all the tools and then in your own words describe these two. You have too much detail - go back to your paper and pull out what instructor wanted - similarities, differences, and why you feel these are better than the others. BTW - what happened to the additional people needed not here at all?? Slide #7 - Recommendation is missing in action (MIA) - First paragraph - they may or may not read your SAR - they should not have to as you are telling them what they need to know in this brief. If you feel you haven't then you need to pull out the definitions and work on content. If you feel MBSA is the only tool they need tell them why and what it buys them not what you have on the page - not in minute detail but things like cost, ease of use, personnel requirements, convey it is best bang for their buck. Need Slide #8 with questions and contact info - you can make it up, just have professional looking contact info. Professor Notes in the Discussion Board Here are some thoughts on how Project 2 can be approached. Again, watch the video and read the transcript to understand the scenario and work your Project with the scenario in mind. The objective is to essentially provide two things; (1)A Security Assessment Report or SAR on the state of the Microsoft and Linux operating systems within the fictitious organization in the scenario, and (2) Create a non-technical narrated presentation. There is no executive summary. So your narration can either be audio on your slides or simply written speakers notes in the note area. The audience for the presentation is the executive level and for the SAR it is the leadership who are both technical and non-technical. Going through the Steps you will see that you the SAR have the following: 1. A brief definition and explanation of OSs and information systems. See Step 1, Items 1-4. Note that although there may be specific questions in each step, you are not necessarily just answering these. You cover those aspects in your writing (in the OS overview in this case). 2. Continue with a brief overview of the advantages, disadvantages, known vulnerabilities or security issues for each OS. Again see Items 1-6 in Step 2. 3. You will be scanning the two OSs. So the next thing you include in your SAR is what you are going to do, how you will do it, what tools you will use, any pros and cons of each tool, what information the tools will provide and why this data will be important. The Step gives examples of the data (password strength, Internet Information Services or IIS administrative vulnerabilities, etc.) which you can talk about. Talk means why they are important. What types of issues could they have? What impact could those issues have on the business? Etc. 4. Include your OS scan results in an Appendix, but from those results prepare professional tables, charts, graphs, etc. which convey the issues. Some people like to divide the results into extremely important, lesser importance and those in the middle. You can create dashboard summaries for your presentation too. 5. Along with the tables you will discuss the findings, how the two tools might have found different issues, any disagreements between tools, etc. and also conclude which tool you recommend be routinely used (or neither or both) and why. 6. Your final recommendations will be what issues should be addressed, in what order, and why (roadmap). Convincing reasons are quantitative impact on the business vs. perhaps how costly it would be to take action. Include how. (See Step 6, Items 1-2.) Check Step 7 for information in the non-technical presentation to uppermanagement/executives. There are a few key statements about the purpose of the presentation. 1. Upper-management is interested in the bottom line. Help them understand the technical vulnerabilities you found by giving them the business consequences. 2. Help them understand that having these issues is normal for an organization and they just need to address them. 3. Help them clearly see their required actions and/or approvals. 4. Remember the options are to do nothing and accept the risk, to take all, or some, of the recommended actions. Also remember that there are often multiple actions that can be taken for a given vulnerability. Help them understand which to settle on. You can make the suggested steps clear to them at the very end. A sample outline for the SAR is attached. Project 2 START HERE PAGE The operating system (OS) of an information system contains the software that executes the critical functions of the information system. The OS manages the computer's memory, processes, and all of its software and hardware. It allows different programs to run simultaneously and access the computer's memory, central processing unit, and storage. The OS coordinates all these activities and ensures that sufficient resources are applied. These are the fundamental processes of the information system and if they are violated by a security breach or exploited vulnerability it has the potential to have the biggest impact on your organization. Security for operating systems consists of protecting the OS components from attacks that could cause deletion, modification, or destruction of the operating system. Threats to an OS could consist of a breach of confidential information, unauthorized modification of data, or unauthorized destruction of data. It is the job of the cybersecurity engineer to understand the operations and vulnerabilities of the OS (whether it is a Microsoft, Linux, or another type of OS), and to provide mitigation, remediation, and defense against threats that would expose those vulnerabilities or attack the OS. There are six steps that will help you create your final deliverables. The deliverables for this project are as follows: 1. Security Assessment Report (SAR): This report should be a 7-8 page double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables, or citations. 2. Nontechnical presentation: This is a set of 8-10 PowerPoint slides for upper management that summarizes your thoughts regarding the findings in your SAR. 3. In a Word document, share your lab experience and provide screen prints to demonstrate that you performed the lab. When you submit your project, your work will be evaluated using the competencies listed below. You can use the list below to self-check your work before submission. • • 1.1: Organize document or presentation clearly in a manner that promotes understanding and meets the requirements of the assignment. 2.3: Evaluate the information in a logical and organized manner to determine its value and relevance to the problem. • 5.4: Identify potential threats to operating systems and the security features necessary to guard against them. ________________________________________________________________ Step 1: Defining the OS The audience for your security assessment report (SAR) is the leadership of your organization, which is made up of technical and nontechnical staff. Some of your audience will be unfamiliar with operating systems (OS). As such, you will begin your report with a brief explanation of operating systems fundamentals and the types of information systems. Click on and read the following resources that provide essential information you need to know before creating a thorough and accurate OS explanation: • • • • • • • • operating systems fundamentals the applications of the OS The Embedded OS information system architecture cloud computing web architecture After reviewing the resources, begin drafting the OS overview to incorporate the following: Explain the user's role in an OS. After reviewing the resources, begin drafting the OS overview to incorporate the following: 1. Explain the user's role in an OS. 2. Explain the differences between kernel applications of the OS and the applications installed by an organization or user. 3. Describe the embedded OS. 4. Describe how the systems fit in the overall information system architecture, of which cloud computing is an emerging, distributed computing network architecture.. Include a brief definition of operating systems and information systems in your SAR. Step 2: OS Vulnerabilities You just summarized operating systems and information systems for leadership. In your mind, you can already hear leadership saying "So what?" The organization's leaders are not well versed in operating systems and the threats and vulnerabilities in operating systems, so in your SAR, you decide to include an explanation of advantages and disadvantages of the different operating systems and their known vulnerabilities. Prepare by first reviewing the different types of vulnerabilities and intrusions explained in these resources: • • • • Windows vulnerabilities Linux vulnerabilities Mac OS vulnerabilities SQL PL/SQL, XML and other injections Based on what you gathered from the resources, compose the OS vulnerability section of the SAR. Be sure to: 1. 2. 3. 4. Explain Windows vulnerabilities and Linux vulnerabilities. Explain the Mac OS vulnerabilities, and vulnerabilities of mobile devices. Explain the motives and methods for intrusion of the MS and Linux operating systems; Explain the types of security awareness technologies such as intrusion detection and intrusion prevention systems. 5. Describe how and why different corporate and government systems are targets. 6. Describe different types of intrusions such as SQL PL/SQL, XML, and other injections You will provide leadership with a brief overview of vulnerabilities in your SAR. Step 3: Preparing for the Vulnerability Scan You have just finished defining the vulnerabilities an OS can have. Soon you will p erform vulnerability scanning and vulnerability assessments on the security posture of the organization's operating systems. But first, consider your plan of action. Read these two resources to be sure you fully grasp the purpose, goals, objectives, and ex ecution of vulnerability assessments and security updates: • • Vulnerability assessments Patches Then provide the leadership with the following: 1. Include a description of the methodology you proposed to assess the vulnerabilities of the operating systems. Provide an explanation and reasoning of how the methodology you propose, will determine the existence of those vulnerabilities in the organization’s OS. 2. Include a description of the applicable tools to be used, and the limitations of the tools and analyses, if any. Provide an explanation and reasoning of how the applicable tools to be used, you propose, will determine the existence of those vulnerabilities in the organization’s OS. 3. Include the projected findings from using these vulnerability assessment tools. In your report, discuss the strength of passwords, any Internet Information Services' administrative vulnerabilities, SQL server administrative vulnerabilities, and other security updates and management of patches, as they relate to OS vulnerabilities. Step 4: Vulnerability Assessment Tools for OS and Applications (LAB) Note: You will use the tools in Workspace for this step. If you need help outside the classroom, register for the CLAB 699 Cyber Computing Lab Assistance (go to the Discussions List for registration information). Primary lab assistance is available from a team of lab assistants. Lab assistants are professionals and are trained to help you. Click here to access the instructions for Navigating the Workspace and the Lab Setup. Enter Workspace and complete the lab activities related to operating system vulnerabilities. Click here to access the Project 2 Workspace Exercise Instructions. Explore the tutorials and user guides to learn more about the tools you will use. You've prepared for your assessment; now it's time to perform. Security and vulnerability assessment analysis tools, such as Microsoft Baseline Security Analyzer (MBSA) for Windows OS and OpenVAS for Linux OS, are stand-alone tools designed to provide a streamlined method for identifying common security misconfigurations and missing security updates for the operating systems and applications. These tools work on layers 5-7 of the Open System Interconnection (OSI) model. Your leadership will want to understand the differences and commonalities in the capabilities of both tools and will want this included in the SAR. Use the tools' built-in checks to complete the following for Windows OS (e.g., using Microsoft Baseline Security Analyzer, MBSA): 1. 2. 3. 4. Determine if Windows administrative vulnerabilities are present. Determine if weak passwords are being used on Windows accounts. Report which security updates are required on each individual system. You noticed that the tool you used for Windows OS (i.e., MBSA) provides dynamic assessment of missing security updates. MBSA provides dynamic assessment of missing security updates. Scan one or more computers by domain, IP address range, or other grouping. 5. Once complete, provide a detailed report and recommendations on how to make your system a more secure working environment. In this case, a tool such as MBSA will create and store individual XML security reports for each computer scanned and will display the reports in the graphical user interface in HTML. You will also complete a similar exercise for Linux OS (e.g., using the OpenVAS tool). Select the following links to learn more about OpenVAS and computer networks: • • OpenVAS Computer Networks Utilize the OpenVAS tool to complete the following: 1. 2. 3. 4. Determine if Linux vulnerabilities are present. Determine if weak passwords are being used on Linux systems. Determine which security updates are required for the Linux systems. You noticed that the tool you used for Linux OS (i.e., OpenVAS) provides dynamic assessment of missing security updates. MBSA provides dynamic assessment of missing security updates. Scan one or more computers by domain, IP address range, or other grouping. 5. Once complete, provide a detailed report and recommendations on how to make your system a more secure working environment Knowledge acquired from this Workspace exercise and capability of this tool will help your company's client organizations secure the computer networks’ resources and protect corporate data from being stolen. Validate and record the benefits of using these types of tools. You will include this in the SAR. Step 5: The Security Assessment Report By utilizing security vulnerability assessment tools, such as MBSA and OpenVAS, you now have a better understanding of your system's security status. Based on the results provided by these tools, as well as your learning from the previous steps, you will create the Security Assessment Report (SAR). In your report to the leadership, emphasize the benefits of using a free security tool such as MBSA. Then make a recommendation for using these types of tools (i.e., MBSA and OpenVAS), including the results you found for both. Remember to include these analyses and conclusions in the SAR deliverable: 1. After you provide a description of the methodology you used to make your security assessment, you will provide the actual data from the tools, the status of security and patch updates, security recommendations, and offer specific remediation guidance, to your senior leadership. 2. You will include any risk assessments associated with the security recommendations, and propose ways to address the risk either by accepting the risk, transferring the risk, mitigating the risk, or eliminating the risk. Include your SAR in your final deliverable to leadership. Step 6: The Presentation Based on what you have learned in the previous steps and your SAR, you will also develop a presentation for your company's leadership. Your upper-level management team is not interested in the technical report you generated from your Workspace exercise. They are more interested in the bottom line. You must help these nontechnical leaders understand the very technical vulnerabilities you have discovered. They need to clearly see what actions they must either take or approve. The following are a few questions to consider when creating your nontechnical presentation: 1. How do you present your technical findings succinctly to a nontechnical audience? Your Workspace exercise report will span many pages, but you will probably not have more than 30 minutes for your presentation and follow-up discussion. 2. How do you describe the most serious risks factually but without sounding too temperamental? No one likes to hear that their entire network has been hacked, data has been stolen, and the attackers have won. You will need to describe the seriousness of your findings while also assuring upper-level management that these are not uncommon occurrences today. 3. How do your Workspace exercise results affect business operations? Make sure you are presenting these very technical results in business terms that upper-level management will understand. 4. Be very clear on what you propose or recommend. Upper-level management will want to not only understand what you discovered; they will want to know what you propose as a solution. They will want to know what decisions they need to make based on your findings. Your goal for the presentation is to convince the leadership that adopting a security vulnerability assessment tool (such as MBSA) and providing an extra security layer is a must for the company. The deliverables for this project are as follows: 1. Security Assessment Report (SAR): This report should be a 7-8 page double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables, or citations. 2. Nontechnical presentation: This is a set of 8-10 PowerPoint slides for upper management that summarizes your thoughts regarding the findings in your SAR. 3. In a Word document, share your lab experience and provide screen prints to demonstrate that you performed the lab. Submit your deliverables to the assignment folder. Before you submit your assignment, review the competencies below, which your instructor will use to evaluate your work. A good practice would be to use each competency as a selfcheck to confirm you have incorporated all of them in your work. • • • 1.1: Organize document or presentation clearly in a manner that promotes understanding and meets the requirements of the assignment. 2.3: Evaluate the information in a logical and organized manner to determine its value and relevance to the problem. 5.4: Identify potential threats to operating systems and the security features necessary to guard against them. Running head: Security Assessment Report (Windows and Linux) 1 SAR Student Name College Security Assessment Report (windows and Linux) 2 Abstract Security Assessment Report (SAR) is a document that lays out summarized risks and vulnerabilities of a specific system in this case operating system (Windows and Linux) discovered in the course of a security assessment to the Information System Security Officer (ISSO), the system authorization officials and the system owner. SAR main motive is to report back the outcomes of security assessments done for processes, people, information systems and policies as included in the information technology infrastructure. To meet security targeted goals (confidentiality, integrity, and availability), SAR is updated when security assessments are conducted to allow continuous surveillance of activities. Below are the factors that will be considered in this SAR; • Operating system(OS) overview • OS vulnerabilities • Vulnerabilities assessment methods • Recommendation • Presentation Security Assessment Report (windows and Linux) 3 Operating system overview. An operating system is a collection of software application programs that allows the user/liveware to perform essential computer functions like commanding peripherals and scheduling tasks by facilitating management and smooth execution of the installed programs. For service, the application programs need the OS. Examples of operating systems are Microsoft Windows, Linux iOS, Android and Mac OS X. OS three most common characteristic User interface- is the interaction of the user with the computer programs. It can be through commands, lines or graphics named command user interface (CUI) or graphical user interface (GUI) respectively. Application programs- allows application and system developers to write program codes Kernel- has control over computer hardware’s Operating systems is load software's kernel included. A kernel is like a micro OS in more straightforward terms which runs all the essential and necessary functions of a computer system, and it can be independent on its own while operating system depends on the kernel to support its functions; providing interface. An embedded operating system is an OS coded to run a single program for embedded computer software’s. It is written to be reliable, resource usage, compact and efficient for real-time tasks mainly because of maintainability, portability and the increased speed. Embedded OS tends to work under hardware systems with a slower CPU (RAM/ROM) or low computing power hence coded to be specific in their scope and applications. Operating systems can be open source or closed software depending on the copyrighted legal rights of the source code under the developer and the user. In closed/proprietary software the Security Assessment Report (windows and Linux) 4 user is restricted from studying or making any changes in the code while in open-source software the user can cause changes in the source code to suit his needs. OS essential functions are interface providence between the system and the user, coordination of computer hardware devices, monitoring system functions, provides the software applications with a convenient environment to function and also it allows data management (Robins, 2007) Information system architecture is a conceptual model which defines the system interactions, product technologies, technical framework, and components structure for a particular businesses information system. On the other hand web, architecture is structured plans and designs for the elements of the website to be developed. It includes human-computer interaction, web usability and the models of the website graphics, web, information, interaction, user-interface, and interactions. Cloud computing it’s where the managing, accessing, processing and storing of programs and data is achieved using internet hosted remote servers rather than local servers. OS vulnerabilities Following the above information about the fundamentals of the operating system, I have expounded more on threats and vulnerabilities affecting each type of the operating system with their intrusions. Windows vulnerabilities and intrusions. All windows systems have potential insecurities that can be avoided following basic knowledge and information. The common threats associated with our windows systems’ are poor data management systems that give anyone anywhere permission to access and share files, weak or non-existed passwords on logins, wireless networks and drive encryptions, lack of antivirus or undated antispyware software’s and weak security policy settings. The mentioned factors seem Security Assessment Report (windows and Linux) 5 minor, but they lead to local severe servers breach making headlines on cyber theft and attacks. Any competent programmer or a cyber-criminal can gain access of ports, files, and processes without natural login abilities by use of a server message block (SMB) which is a programmed layer protocol that permits the requested information in the system. Another intrusion method is the use of stealth port scans that allows malicious attempt and enables connections requests without auditing tools noticing the intrusion. Linux vulnerabilities and intrusion In Linux, a vulnerability is a specific security-concerned weakness or bug that affects the Linux operating system. Linus operating system's threats and vulnerabilities are left unnoticed by the administrators unlike windows OS, yet these factors offer a window for cyber-attacks contributing to organizational risks. This potholes includes; outdated running third-party software’s like (PHP, Apache, OpenSSL, VNC and MySQL), weak or lack of passwords, lack of Linux based systems backups, lack of methodology and a patching system for Linux and insufficient system hardening in protecting telnet communications and files from interception in under secured network. MacOS vulnerabilities Mac OS is a graphical interface system developed, programmed and marketed by Apple. MAC has hardware or physical addresses with a hexadecimal bits uniquely formatted number for each specific computer and computer networks. Unlike Windows and Linux OS, Mac OS security holes can only happen if allowed by the user unknowingly and voluntarily runs a hackers application in the system. It can be either an attachment or links, downloaded new software or Security Assessment Report (windows and Linux) 6 updated security updates. Comparing mobile devices and MAC operating system, mobile devices are less predisposed to cyber threats. Vulnerabilities of mobile phones. Just like other computer systems, mobile phones are prone to vulnerabilities because it can support the system and mostly application software’s designed for android devices. These vulnerabilities are such as data leaks, outdated antiviruses soft wares, worms and viruses, cyber insecurities under less secured connections and physical damage also can cause data loss and inaccessible of some applications. Injection attacks. Injection attacks occur when particular program execution is altered following the input of a malicious statement to the program by an attacker as a query or command. There are different types of injection attacks such as; XPath injection, SQL injection, carriage return and line feed (CRLF) injection, code injection, OS command injection, email injection and many others. SQL injection is an injection attack that takes over Relational Database Management System (RDMS) which is the database server programs of the SQL system by executing venomous SQL statements delivering content of the database to the attacker. Just like other application software’s, PL/SQL can be at risks to SQL injection. It causes loss of data, system compromise, denial of services access and data integrity loss. Government and cooperate systems are the primary targets of cyber insecurities mainly because of the information they store. Depending on hackers motive the government and cooperate agencies are losing peoples trust, and hence they should invest in super defense mechanism against cybercrimes starting by implementing robust systems to protect privately stored data. Security Assessment Report (windows and Linux) 7 Due to a high rate of cyber-attacks, business organizations are thoroughly acquainted with systems threats and vulnerabilities hence ways to curb these elements are learned and enacted to lessen data loss risks or even stop it if lucky depending on the organizational efforts. Mostly a risk assessment is done to assess the overall negative impact an organization will encounter in case of exposed or lost data. Technical control methods are imposed after the risks have been pinpointed and ranked accordingly (Curphey, 2006). Different ways can be deployed to boost security awareness technologies; • Intrusion detection systems (IDS)-they can be connected to a network hub via any port and monitors the streaming of data and information on the network packets on a LAN (local area network). It detects malicious data. (Remove and replace with sentence the IDS was the edge from 2003-2004. But IPS can detect and prevent. – something like that) • Intrusion prevention systems (IPS) - since network devices like switches and routers are inline devices, IPS can work at high speed hence it is connected in between to sense and block any harmful traffic network. Both the technologies IPS and IDS works in line with each other since they both detect and prevent the sensitive private data from the threat. Vulnerabilities Assessment methods Vulnerabilities are unsecured potholes which attackers might use to gain control over the system. It is through vulnerabilities assessments that vulnerability is categorized, recognized and characterized accordingly following its origination among computer system elements. There are different types of assessment scanning tools for assessing vulnerabilities such as open VAS, Security Assessment Report (windows and Linux) 8 Microsoft Baseline Security Analyzer (MBSA), Comodo Hacker Proof, Nikto, Tripwire IP360, Wireshark, Nexpose Community, Retina CS Community, Aircrack and Nessus Professional. I will explain more in only two of them; MBSA and open VAS (Wales, 2003). According to Mark (2011), “Microsoft Baseline Security Analyzer (MBSA) is a Microsoft assessment scanning tool which is Microsoft writes free purposed to secure windows applications and system programs following guidelines and specifications.” Open VAS, on the other hand, is an open assessment scanning tool used in both scanning and managing the vulnerability assessment. Add paragraph about SIMILARITIES of Open VAS and MBSA. # of people it takes to run and/or the what type of experience does people need to run tool(s). The main difference between open VAS and MBSA assessment scanning tools is that open VAS works with different operating systems while MBSA can individually work with windows OS. They are both free at a cost to the users and can also be used as a security tool as it allows security updates. MBSA has quick insights but has weak passwords and minored power in patches, services and sharing hence it is commonly used by small and medium-sized organizations. For activities conducted in the lab, the system administrator and system manager needed OpenVAS and MBSA scanning tools to clearly and practically assess the OS vulnerabilities across the Linux and Windows OS respectively. It was noted that different from MBSA open VAS was time-consuming and laborious to be used since the users had first to learn how to use Linux commands in executing programs while MBSA was efficient, reliable and easy to use and understand because of the detailed steps of findings based on each windows vulnerabilities and Security Assessment Report (windows and Linux) 9 how to troubleshoot. A screen-prints on how the two assessment scanning tools are used will be provided at the end of the report. The relation of OS vulnerabilities with passwords strength, management of patches, internet information services administrative vulnerabilities, security updates and SQL server administrative is that this is the chief security tools that should frequently be done in a computer local server or network to prevent and reduce the illegal access of unintended people to the entire computer system. Risk assessments methodology Risks assessments are conducted using the vulnerabilities assessment tools (MBSA) to identify, analyze, rank and manage OS security weaknesses to prevent future possible damages. Risk assessments is done by following easy-to-learn steps of firstly identifying the risk, determining the subjects that might be inflicted by the uncertainty, risk evaluation and coming up with control or preventive measures, implementation and recording of the findings and finally risk assessment reviews when necessary at least quarterly per year.it is only after a thorough risk assessments procedure has been conducted that the organization can make a decision on which type of risk strategy they handle the vulnerability with. It is by balancing the cost of avoiding the risk and the cost of implementing a control measure that organization makes a decision on which type of risk they will approach. There are four types of risks strategies; • Transferring risk- it’s a control risk strategy and management that involves the transfer of the risk to a third party to handle it. For example in purchasing of an insurance policy where the loss risk is transferred to insurer from the policy holder. The risk can also transfer to insurance companies from individuals or to reinsurers from insurers. Security Assessment Report (windows and Linux) 10 • Eliminating risk or risk avoidance- is the opposite of accepting risk. The organization covers for the cost to counter the vulnerability. It is the most expensive risk strategy. Rather than eliminating the risk it can be managed because even though there is a possibility of loss, the consequences resulting from the risk is unknown hence eliminating or avoiding a piece or the whole project because of the risk might not be wise. Consider the other risk strategies approach before choosing elimination strategy. • Accepting risk- involves accepting the adverse risks from the vulnerability because the cost of its avoidance is outweighed by the cost of implementing a preventive measure to curb the vulnerability. It’s also known as risk retention. It occurs to the vulnerabilities with less catastrophic effects or the control measure is too expensive hence a decision is made to wait and deal with the risk when they will arise. Accepting risk strategy is a worth it tool in the process of budgeting and prioritization. An example of accepting risk can be seen in self-insurance. • Mitigating risk- it’s also called risk reduction. It is an overall strategy approach that involves taking strategized steps to reduce the negative impacts or the probability of occurrence of the risk effects on the organization OS system. It may include of maybe reducing or increasing scope to prevent the organization from avoidable lawsuits. (CITATION) After remediation and mitigation of the risk, an organization can put in place Plan of Actions and Milestone (POA&Ms) as a tool of identifying, assessing, monitoring and prioritizing system vulnerabilities and threats to avoid possible future security breach. Security Assessment Report (windows and Linux) 11 Recommendation – Weak – need more substance and why it is important. Refer back to information in file name Project 2 Notes and Suggestion. The company’s data systems security is an important issue to be concerned about, and I recommend MBSA as an assessment scanning tool for the company. Because it is an easy-to-use tool and it provides and improves ways for data management by detecting system updates, troubleshooting in case of a threat and misconfigurations in the computer system (software, hardware, and liveware). For risk mitigation and remediation, I recommend the use of encryptions methods and firewalls on the log files to improve the security of the operating systems of an organization (Curphey & Arawo, 2006). The graphics from the SAR. After the MBSA assessment scanning tool is downloaded and install the following steps are followed in scanning the computer system First, click on scan a computer leaving other settings at default Security Assessment Report (windows and Linux) 12 Start scan, Security Assessment Report (windows and Linux) 13 The results for security updates, windows and any additional updates respectively, Security Assessment Report (windows and Linux) 14 Screen-prints for analyzing the scanned assessment and how to correct the vulnerabilities Security Assessment Report (windows and Linux) 15 Security Assessment Report (windows and Linux) 16 Security Assessment Report (windows and Linux) 17 Referencing Assessment, C. R. (1996). Proposed guidelines for carcinogen risk assessment. Federal Register, 61(79), 17960-18011. Curphey, M., & Arawo, R. (2006). Web application security assessment tools. IEEE Security & Privacy, 4(4), 32-41. Mark S.P. (2011 Sep). Audit Tools That Won t Break the Bank – PDF. WBA Technology Conference. Retrieved Aug 12, 2018 from: https://docplayer.net/17595612-Audit-toolsthat-won-t-break-the-bank.html Robins, Mark. "Feature centric release manager method and system." U.S. Patent No. 7,266,502. 4 Sep. 2007. Todd Sr, R. E., Glahe, A. C., & Pendleton, A. H. (2001). U.S. Patent No. 6,185,689. Washington, DC: U.S. Patent and Trademark Office. Wales, E. (2003). Vulnerability assessment tools. Network Security, 7, 15-17.
Purchase answer to see full attachment