You are an Information Assurance Management Officer, IAMO, at an organization of your choosing. One morning, as you’re getting ready for work, you see an email from Karen, your manager. She asks you to come to her office as soon as you get in. When you arrive to your work, you head straight to Karen’s office. “Sorry for the impromptu meeting,” she says, “but we have a bit of an emergency. There’s been a security breach at the Office of Personnel Management.” We don’t know how this happened, but we need to make sure it doesn’t happen again, says Karen. You’ll be receiving an email with more information on the security breach. Use this info to assess the information system vulnerabilities of the Office of Personnel Management. At your desk, you open Karen’s email. She’s given you an OPM report from the Office of the
Inspector General, or OIG. You have studied the OPM OIG report and found that the hackers were able to gain access through compromised credentials. The security breach could have been prevented, if the Office of Personnel Management, or OPM, had abided by previous auditing reports and security findings. In addition, access to the databases could have been prevented by implementing various encryption schemas and could have been identified after running regularly scheduled scans of the systems. Karen and the rest of the leadership team want you to compile your findings into a Security Assessment Report or SAR. You will also create a Risk Assessment Report, or RAR, in which you identify threats, vulnerabilities, risks, and likelihood of exploitation and suggested remediation
The security posture of the information systems infrastructure of an organization should be regularly monitored and assessed (including software, hardware, firmware components, governance policies, and implementation of security controls). The monitoring and assessment of the infrastructure and its components, policies, and processes should also account for changes and new procurements that are sure to follow in order to stay in step with ever-changing information system technologies.
The data breach at the Office of Personnel Management (OPM) is one of the largest in US government history. It provides a series of lessons learned for other organizations in industry and the public sector. Some critical security practices, such as lack of diligence to security controls and management of changes to the information systems infrastructure were cited as contributors to the massive data breach in the OPM Office of the Inspector General’s (OIG) Final Audit Report, which can be found in open source searches. Some of the findings in the report include: weak authentication mechanisms; lack of a plan for life-cycle management of the information systems; lack of a configuration management and change management plan; lack of inventory of systems, servers, databases, and network devices; lack of mature vulnerability scanning tools; lack of valid authorizations for many systems, and lack of plans of action to remedy the findings of previous audits.
The breach ultimately resulted in removal of OPM’s top leadership. The impact of the breach on the livelihoods of millions of people is ongoing and may never be fully known. There is a critical need for security programs that can assess vulnerabilities and provide mitigations.
There are nine steps that will help you create your final deliverables. The deliverables for this project are as follows:
- Security Assessment Report (SAR): This should be an 8-10 page double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables, or citations.
- Risk Assessment Report (RAR): This report should be a 5-6 page double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables, or citations.
Step 1: Enterprise Network Diagram
During Project One, you researched a hypothetical or actual organization of your choice. You had to understand the goals of the organization and the types of systems that would fulfill those goals. You will now research and learn about types of networks and their secure constructs that may be used in organizations to accomplish the functions of the organization’s mission. You will propose a local area network (LAN) and a wide area network (WAN) for the organization, define the systems environment, and incorporate this information in a network diagram. Discuss the security benefits of your chosen network design.
Read about the following computing platforms available for networks and discuss how these platforms could be implemented in your organization. Include the rationale for all platforms you choose to include in your network design.
- common computing platforms
- cloud computing
- distributed computing
- centralized computing
- secure programming fundamentals
Step 2: Enterprise Threats
Review the OIG report on the OPM breach that you were asked to research and read about at the beginning of the project. The OIG report included numerous security deficiencies that likely left OPM networks vulnerable to being breached. In addition to those external threats, the report also describes the ways OPM was vulnerable to insider threats. The information about the breach could be classified as threat intelligence. Define threat intelligence and explain what kind of threat intelligence is known about the OPM breach.
You just provided detailed background information on your organization. Next, you’ll describe threats to your organization’s system. Before you get started, select and explore the contents of the following link: insider threats (also known as internal threats). As you’re reading, take note of which insider threats are a risk to your organization.
Now, differentiate between the external threats to the system and the insider threats. Identify where these threats can occur in the previously created diagrams. Relate the OPM threat intelligence to your organization. How likely is it that a similar attack will occur at your organization?