Instructions Security Assessment Tool Conduct Internet research on your selection for a security assessment tool. You will need to access, review, and determine if the tool can be used for the...

Instructions

Security Assessment Tool

Conduct Internet research on your selection for a security assessment tool. You will need to access, review, and determine if the tool can be used for the project. It is recommended to provide two options to compare the features, pricing, compatibility, and functionality.

This assignment builds upon your previous assignment in Unit III, which covered the cyber security framework, so the chosen security assessment tool(s) should be based on your choice of industries: aerospace, healthcare, or government agencies.

Requirements for this checklist include the following.

• Include a title page containing the company name and your name.


• Download and install your selection of security assessment tool onto your computer system.


• Run your assessment tool, and provide a screenshot of the audit scan in your document.


• Select at least three vulnerabilities, and create a risk assessment matrix that shows the impact (low, medium, or high) of each vulnerability.


• Explain what preventive measures you should take for the selected vulnerabilities.


• Include a reference page containing at least three references.

Yoursecurity assessment tool must be at least one page in length, not including the title page and references page. This assignment will be added to your outline to produce a completed project at the end of the course. Adhere to APA Style when creating citations and references for this assignment.

Unit SEC 4320, IS Security Capstone 1 Course Learning Outcomes for Unit IV Upon completion of this unit, students should be able to: 1. Compile a vulnerability assessment using the current security posture. 1.1 Query which assessment tool is best for auditing assets. 1.2 Classify an impact level as low, medium, or high for an asset that is vulnerable. 5. Construct preventative measures to ensure critical assets are secure. 5.1 Examine solutions on how to eliminate and secure vulnerable assets. Course/Unit Learning Outcomes Learning Activity 1.1 Unit Lesson Video: Security Assessment and Audit Unit IV Assignment 1.2 Unit Lesson Unit IV Assignment 5.1 Unit Lesson Article: “Securing Industrial Control Systems: ICSs Are Vulnerable Targets to Cyber Attacks. More Than Conventional IT-Security Solutions Are Needed to Protect Them” Article: ”Implementing and Auditing the Critical Security Controls—In-Depth” Unit IV Assignment Required Unit Resources In order to access the following resources, click the links below. Ginter, A. (2013, July 1). Securing industrial control systems: ICSs are vulnerable targets to cyber attacks. More than conventional IT-security solutions are needed to protect them. Chemical Engineering, 120(7). https://link.gale.com/apps/doc/A336605665/AONE?u=oran95108&sid=AONE&xid=39208d11 Tarala, J. (2015, October 1). Implementing and auditing the Critical Security Controls-—in-depth. SC Magazine, 26(10), 24A. https://link-gale- com.libraryresources.columbiasouthern.edu/apps/doc/A439110061/ITOF?u=oran95108&sid=ITOF&xi d=d87dde39 Please view the video below about security assessment and audit. A transcript and closed captioning are available once you access the video. Intrigano. (2017, December 25). Security assessment and audit [Video]. YouTube. https://c24.page/4ksxy6unv8g3we9vfumbht484w UNIT IV STUDY GUIDE IT Security Assessment https://link.gale.com/apps/doc/A336605665/AONE?u=oran95108&sid=AONE&xid=39208d11 https://link-gale-com.libraryresources.columbiasouthern.edu/apps/doc/A439110061/ITOF?u=oran95108&sid=ITOF&xid=d87dde39 https://c24.page/4ksxy6unv8g3we9vfumbht484w SEC 4320, IS Security Capstone 2 UNIT x STUDY GUIDE Title Unit Lesson The information technology security assessments are an important element in discovering the health of an organization’s information technology infrastructure. As you have been pursuing your degree in cyber security, you have come across the following two terms: assessment and audit. Both of these terms, while seeming to have the same meaning, are actually different in nature and are used in different references to cyber security policies and regulations. From the standpoint of the meaning of assessment and audit, we can consult an online dictionary:  assessment—the act of judging something (“Assessment,” n.d.) and  audit—refers to a formal examination, review, and report of an organization (“Audit,” n.d.). As you can see from the dictionary definitions of assessment and audit, they are actually different. From the cybersecurity standpoint, the following definitions can be used.  Assessment involves the different levels of risks that affect the operations and information technology (IT) infrastructure of the organization based on formal standards and reference models. These critical impact levels can be categorized as low, medium, or high.  Audit is the process of evaluating the assets and business processes that are measured against standards, regulations, policies, and/or specifications by using quality checklists. Please note that although assessment and audit have different meanings, they work hand-in-hand. In other words, you cannot have assessments without auditing and vice versa. According to Tarala (2015), cybersecurity threats continue to evolve, and critical security controls are an effective way to ensure a protected security framework. Such controls should be audited to know how to fix, address, and identify threats to create a security baseline. By the same token, Greene (2015) mentions that there are 20 top security controls that should be assessed and updated to ensure that the IT infrastructure is secured. Review the two videos below in reference to the Health Insurance Portability and Accountability Act (HIPAA). One video looks at auditing, and the other looks at assessments: Steps in the Audit Process Video HIPAA Risk Assessment Standard Video The transcript for both video segments can be found by clicking on “Transcript” in the gray bar to the right of the video in the Films on Demand database. These assessments and audits are living processes because today’s cybersecurity environment changes with the business paradigm and needs to be monitored continually. You can read more about security assessments from the Cybersecurity and Infrastructure Security Agency (CISA) web page. CISA’s main focus is to assist all organizations with their cybersecurity by providing the necessary security resources about how to prepare secure risk management for their critical information infrastructure. There are many free audit and assessment tools that can be downloaded and used to understand the basic principle of auditing and assessments. One excellent example is the Microsoft Baseline Security Analyzer (MBSA) The MBSA is an auditor that scans your computer network and performs security checks on your network and system and also looks for misconfigurations. From the auditing findings discovered by the MBSA, you could develop an assessment that can help you correct your security issues. See a sample scan from the MBSA below: https://libraryresources.columbiasouthern.edu/login?auth=CAS&url=https://fod.infobase.com/PortalPlaylists.aspx?wID=273866&xtid=52817&loid=197876 https://libraryresources.columbiasouthern.edu/login?auth=CAS&url=https://fod.infobase.com/PortalPlaylists.aspx?wID=273866&xtid=52817&loid=197881 https://www.dhs.gov/cisa/cybersecurity-assessments https://www.microsoft.com/en-us/download/details.aspx?id=19892 SEC 4320, IS Security Capstone 3 UNIT x STUDY GUIDE Title The MBSA audit scan shows different areas of a local machine that was scanned for vulnerabilities. Most of the vulnerabilities will have helpful results that the user can click on to find more information about the vulnerability such as what was scanned, result details, and how to correct the issues that were found. Again, some of the issues will have one, two, or all three information items. Note the information area titled “How to correct this” is a preventive measure for that particular vulnerability only. So how would an assessment be created from this auditing scan? Let’s take a look at two examples; the first is Automatic Updates, and it shows that a critical check failed. The second example is Password Expiration, which shows that a non-critical check failed. To develop or create a risk assessment impact report, a simple table called a risk assessment impact matrix can be used as shown below. ITEM Low Impact Medium Impact High Impact Automatic Updates x Password Expiration x How the organization’s policy and/or regulation is written for the identified items will determine the impact. An example of your organization’s documentation might state that all systems must have all automatic updates activated on all systems. Also, the documentation might state that critical systems passwords must be updated every 60 days, and non-critical should be updated every 6 months. Based on the organization’s Figure 1: Microsoft Baseline Security Analyzer sample audit scan SEC 4320, IS Security Capstone 4 UNIT x STUDY GUIDE Title documents and the scan results, you determine that the automatic updates results in a high-risk impact, and the password expiration is a medium impact. Please note that this is your assessment based on the organization’s documentation on critical asset controls and the scanned report. It is upper management’s ultimate decision to determine if the assessment will be taken into consideration. As a security professional, it is your job to point out what you found in the organization’s documentation, scanned audit, and your assessment. The decision-making process to approve or disapprove the findings belong to upper management. The Microsoft Baseline Security Analyzer (MBSA) is one of the most widely used analyzers because of the plethora of Windows operating systems. Other scanning analyzers found on the Internet that are free to use include GFI LanGuard, Nagios, Pandora FMS, and Wireshark. These are just the many analyzers that can be used by the user to scan for vulnerabilities in systems. Most free analyzers can be used by an individual user, whereas organizations will use a more robust analyzer. The cost of such an analyzer will be determined by how large of an information technology infrastructure the organization has and the budget constraints of the organization. References Greene, T. (2015). SANS: 20 critical security controls you need to add. https://www.networkworld.com/article/2992503/sans-20-critical-security-controls-you-need-to- add.html Merriam-Webster. (n.d.). Assessment. In Merriam-Webster.com dictionary. https://www.merriam- webster.com/dictionary/assessment Merriam-Webster. (n.d.). Audit. In Merriam-Webster.com dictionary. https://www.merriam- webster.com/dictionary/audit Tarala, J. (2015, October 1). Implementing and auditing the Critical Security Controls—in-depth. SC Magazine, 26(10), 24A. https://link-gale- com.libraryresources.columbiasouthern.edu/apps/doc/A439110061/ITOF?u=oran95108&sid=ITOF&xi d=d87dde39 Course Learning Outcomes for Unit IV Required Unit Resources Unit Lesson References