Posted: February 28th, 2023

CST 610 Proj 3

Project 3 Scenario: We are structuring our scenario around the capital one data breach 2019, I have a couple references already, feel free to add more if needed. My section is from the perspective of law enforcement, as it pertains to this incident.

Deliverables are described below, total of 5-9 pages, 2 separate docs, an After Action Report 2-4 pages, and a Security Assessment Report 3-5 pages.

You are part of a collaborative team that was created to address cyber threats and exploitation of US financial systems’ critical infrastructure. Your team has been assembled by the White House cyber national security staff to provide situational awareness about a current network breach and cyberattack against several financial service institutions.

Your role is:

• A      representative from law enforcement, who has provided additional evidence      of network attacks found using network defense tools.

Provide education and security awareness to the financial services sector about the threats, vulnerabilities, risks, and risk mitigation and remediation procedures to be implemented to maintain a robust security posture.

Project 3 Scenario: We are structuring our scenario around the capital one data breach 2019, I have a couple references already, feel free to add more if needed. My section is from the perspective of law enforcement, as it pertains to this incident.

You are part of a collaborative team that was created to address cyber threats and exploitation of US financial systems’ critical infrastructure. Your team has been assembled by the White House cyber national security staff to provide situational awareness about a current network breach and cyberattack against several financial service institutions.

Your role is:

· A representative from law enforcement, who has provided additional evidence of network attacks found using network defense tools.

Provide education and security awareness to the financial services sector about the threats, vulnerabilities, risks, and risk mitigation and remediation procedures to be implemented to maintain a robust security posture.

Project 3 Instructions:

The United States’ critical infrastructure—power, water, oil and natural gas, military systems, financial systems—have become the target of cyber and physical attacks as more critical infrastructure systems are integrated with the internet and other digital controls systems. The lesson learned in mitigating and defending against cyberattacks is that no entity can prevent, or resolve cyberattacks on its own. Collaboration and information sharing are key for success and survival.

In your teams, you can model the same collaboration, leveraging each other’s expertise, sharing each other’s knowledge, and teaching each other. This will include providing contributions specific to your role in the scenario:

The deliverables for this project are as follows:

1. Security Assessment Report (SAR): This report should be a 3-5-page double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables, or citations.

Prepare your section of the SAR for the White House Cyber National Security staff, describing the threat, the motivations of the threat actor, the vulnerabilities that are possible for the threat actor to exploit, current and expected impact on US financial services critical infrastructure, the path forward to eliminate or reduce the risks, and the actions taken to defend and prevent against this threat in the future.

2. After Action Report (AAR): This report should be a 2 – 4-page double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables, or citations.

Prepare your section of the AAR. This knowledge management report will be provided to the cyberthreat analyst community. The purpose of the AAR is to share the systems life cycle methodology, rationale, and critical thinking used to resolve this cyber incident.

Law Enforcement

To be completed by the Law Enforcement Representative: Provide a description of the impact that the threat would have on the law enforcement sector. These impact statements can include the loss of control of systems, the loss of data integrity or confidentiality, exfiltration of data, or something else. Also provide impact assessments as a result of this security incident to the law enforcement sector. Ensure that the information is appropriately cited.

Step 2: Assess Suspicious Activity

Your team is assembled, and you have a plan. It’s time to get to work. You have a suite of tools at your disposal from your work in the earlier projects. That work can be used to create a full common operating picture of the cyberthreats and vulnerabilities that are facing the US critical infrastructure. Begin by reading the following resources to brush up on your knowledge:

Network Security

Network security is an umbrella term. It stands for all policies and procedures that a network administrator uses to mitigate risks on a network. These include policies for finding and recording a possible breach, as well as policies for responding to these events. A well-written and enacted network security effort will respond to a variety of threats. These threats may include direct attacks, malicious code, and internal threats.

Mission-Critical Systems

A mission-critical system is the name for a system that has functions critical to the survival of an organization. These systems are needed for basic day-to-day operations in most cases. When these systems fail, or if communications with them are blocked, the business will suffer a serious setback. For example, in a retail setting, the point of sales service is a mission-critical system, since without it, no transactions can be processed.

Penetration Testing

Penetration testing is the practice of arranging for a trusted third party to attempt to compromise the computer network or digital resources of an organization in order to assess the organization’s security.

In fact, the only real difference between penetration testing and real attacks is permission. So, a pen tester acts in every way possible as an actual attacker, meaning the tester accesses the system without using authorized credentials.

But unlike actual attacks, pen testing is always performed in cooperation with and at the direction of the system owner (or entity with authority over the system), who establishes the goals for the testing activities.

The overall purpose of pen testing is to validate the system’s security, identify weaknesses that could put the system at risk, and recommend mitigations to address the vulnerabilities. Pen testing can:

· provide an assessment of the defenses in use against all attack vectors.

· assess the response capabilities of the personnel in the organization charged with protecting and defending the network.

· evaluate the organization’s crisis response and any associated plans.

· provide a list of unpatched computers, outdated equipment, and other vulnerabilities.

· provide justification for the allocation of additional resources (people and/or technologies) for network security.

· result in recommendations to address any vulnerabilities identified.

Steps in Penetration Testing

After a well-defined contract that predetermines the scope and level of testing has been agreed upon, penetration testers usually perform four steps to perform an attack and gain as much access as possible.

Step 1: Performing Reconnaissance

The first step involves obtaining as much information as possible on the target network. Testers usually do this by:

· downloading the target’s website for offline analysis, using tools such as Wget and Teleport Pro.

· using technical tools such as NSLookup and Dig to uncover information on the hosts that are active on the target network.

· identifying publicly accessible services such as email and web servers

Step 2: Scanning and Enumeration

Scanning involves attempting to connect to a target system to observe a response. Many tools, such as Nmap, are available for scanning. Enumeration is used to gather in-depth information about the target systems, such as open shares, operating systems running, and user accounts. A few key terms used in enumeration are:

· Fingerprinting: Fingerprinting is the process of discovering the underlying operating systems on the target network.

· Footprinting: Footprinting goes a step beyond fingerprinting. Using footprinting, testers can obtain the following details regarding the target system:

· Host names

· IP addresses

· Active running ports and services

· Operating systems

· A network diagram

Step 3: Gaining Access

Gaining access is the most important and lengthy step in penetration testing. At this stage, a penetration tester moves from scanning and enumerating to performing an actual attack. The attack must adhere to the scope of the contract that exists between the tester and the organization’s management. Otherwise, the attack could be considered malicious and potentially illegal. This step may involve almost any approach to gain access, such as web server and domain name system (DNS) attacks, denial of service attacks, or email attacks including spam and Trojans.

Step 4: Reporting Problems to Management

Upon completion of penetration testing, the testing team reports its findings to the organization’s management. Penetration testing helps the organization in the following ways:

· It makes system administrators and technical staff aware of how their network can be compromised and allows them to accurately estimate budget increases for security technology upgrades.

· It aids managerial decision making with respect to purchasing new security devices and software.

Another way to think about pen testing comes from The Open-Source Security Testing Methodology Manual, which provides a good explanation of what the testers are actually evaluating.

· Visibility: This covers what the security can see and log. Included are email, communication devices (telephones) and network traffic.

· Access: Areas that someone can access the inner network. Does not need to be a computer system or network port. Can include web pages or any public facing connections.

· Trust: Trust checks the different kinds and amount of authentication systems, access controls and confidentiality between two or more systems (or even people) within a corporation’s security umbrella. Trust in people includes processes for changing passwords and how support is provided (remote control from outside areas).

· Safety: Can a comprised system affect and harm other systems in the network? If detected, can another system be locked out until the compromised system is repaired? Can a single system be detected as compromised?

· Alarm: This is probably the most important test as it evaluates that a timely and appropriate notification and response to compromising activities. Basically, can a corporation detect if it was compromised and if so, what can it do to halt the attack, determine the damage caused and correct it, and can it do anything to help catch the hacker?

Comparing Vulnerability Assessment and Management to Penetration Testing

It’s important to distinguish vulnerability assessments from penetration testing. A vulnerability assessment will only diagnose the vulnerabilities in the system, while penetration testing will actually exploit the vulnerabilities with techniques that an actual hacker or attacker would use. Penetration testing complements vulnerability testing. Penetration testing increases the scope of potential attack vectors to include testing physical, personnel, and procedural controls. The main objective behind penetration testing is to model real-world attacks as closely as possible.  

So before the onset of any work, it is important to determine the scope of the assessment. The result of testing should be unambiguous and should clearly balance business demands and technical needs. At the end of testing, a report of findings will outline the assets tested, the methods used, the results of the test, and recommendations for improvement. This method will test the physical, social, and technical barriers of a company to determine how vulnerable it is to threats.

Tools of the Trade

There are now many tools that are available for testing the vulnerability and penetrability of a network.

Nmap scans a network for open ports on a system and creates a visual network map. This can be useful in determining which computers are normal client computers and which computers have special functionality, such as web servers or active directory servers. It also detects the OS that is running on a system. This will allow for OS specific penetration tests (are the systems patched to protect from known vulnerabilities).

Nessus is one of the most popular vulnerability scanners and is widely used in industry. It offers a suite of functionalities, such as detecting vulnerabilities in sensitive data access, weak system configurations, and weak system passwords.

Microsoft Baseline Security Analyzer (MBSA) is a Microsoft software tool that determines whether systems on a network are missing security updates or have insufficient security settings for Microsoft applications, such as the Windows operating system or SQL server.

Ettercap offers the ability to intercept network connections on a LAN and manipulate traffic. It can also perform system fingerprinting.

Hping is a network analysis tool that can scan for open ports, fingerprint operating systems, and craft raw TCP/IP packets.

THC Hydra is a brute-force password cracking tool. It has ability to access data from a website and attempt logins that way. It is not limited to website log-ins, but can access a number of protocols including ftp.

Cain & Abel is a password recovery tool that uses a multitude of methods to determine user passwords. It can scan networks, use brute-force and dictionary methods of checking passwords, and it can even scan VoIP conversations to find passwords.

Final Thought

As new technology is adopted by organizations, standards must also adapt to meet the change. What new standards should be adopted for penetration testing to assess vulnerability for mobile devices in the growing BYOD (bring your own device to work) environment?

McLean, R. (2019, July 30).
A hacker gained access to 100 million capital one credit card applications and accounts | CNN business. CNN. Retrieved February 17, 2023, from

https://www.cnn.com/2019/07/29/business/capital-one-data-breach/index.html

Tyko, K. (2019, July 30).
Massive data breach hits capital one, affecting more than 100 million customers. USA Today. Retrieved February 17, 2023, from

https://www.usatoday.com/story/money/2019/07/29/capital-one-data-breach-2019-millions-affected-new-breach/1863259001/

ected-new-breach/1863259001/

The culprit “was able to gain access by exploiting a misconfigured web application firewall (McLean, R. 2019).

https://www.usatoday.com/story/money/2019/07/29/capital-one-data-breach-2019-millions-affected-new-breach/1863259001/

https://www.cnn.com/2019/07/29/business/capital-one-data-breach/index.html