please read after action reportand than write another AAR with further avidence that is provided.
Security Risks Our initial protection measures were aimed at protection based on reports that identified cyber-attacks on European banks stealing customers’ credit card information. To combat the theft of our citizens’ financial data we must increase the security measures of both data in transit and data stored on databases. Heightened encryption methods reduce the damage of data stolen during transmission. The second area of concern was the economic downturn caused by interest rates being increased and the lowering of small company spending on cyber-security measures. Missteps in providing adequate cyber security may lead to the disclosure of customer data. It is our responsibility as the Federal Government to protect the nation’s best interests. Support of the infrastructure of our economy relies on the protection of commerce and the privacy of our citizens. Economic Downturn Issues associated with the economic downturn can be lessened by applying measures that aid in reduction in downtime, increase support of small business cyber-security measures, and offer training for personnel wishing to enter the cyber-security field. To encourage businesses to keep a minimum level of security either a tax reduction for products that aid in cyber-security can be offered and penalties based on compliance failure. A Business Continuity Plan (BCP) offers guidance for actions a company should take when there are issues with their ability to continue business after some event affects operations. To enact a BCP the company should outline the roles that would identify which personnel are leading specific efforts. This would include the hiring policy that is focused on finding an experienced candidate to fill roles in leadership defined in the BCP. Other tactics to minimize impacts from the economy are increasing the network uptime. It is necessary to create redundancy measures for network loads such as load balancing, DNS failover, and secondary operations sites. Often external collaboration methods can help identify these sites. Cloud computing allows information to be stored off-site and accessible to the customer with the license agreement. The cloud storage option allows for data backups to recover data that may be corrupted, encrypted from an attack, or otherwise unavailable at the normal company site. Criminal Hacking The hacking of computer systems has become a commonplace topic for at least the last decade. Each subsequent attack has experts looking deeper into the value of the efforts that security personnel must include to protect the networks in the future. When dealing with cyber hacking there is not a one size fits all plan, the technology is growing, and new vulnerabilities are being discovered rapidly. There are measures that companies can take to reduce the likelihood of loss when these attacks inevitably find their way onto the network Policy is one key method in identifying the staples of security that a company can follow to allow baseline measures. Things to consider are antivirus, authorized software, and the information that can be shared. As the Federal Government, we are limited in what policies we can enforce on private companies’ systems. We can encourage support, provide training, and metrics that can show the value of utilizing the policies we suggest. The use of outdated antivirus will provide lower amounts of protection compared to updated packages. Remaining current gives hackers less opportunity to find weaknesses in the cyber-security armor they provide. Encouraging an authorized software list for companies requires that approved software from trusted vendors will be identified and used for operations. This may impact some users due to a lack of familiarity. Another good practice is the limitation of information sharing. This is regarding the access employees have to customer data that is not relevant to their jobs. Other things to consider when creating cyber security policy that deters hacking: · Remote Access · Role-Based Access Controls · Data Encryption Methods Public Sentiment If our citizens do not feel confident in our decisions, they will disregard any suggestions that we make for the protection of the American networks. We must be diligent in working with public relations to establish a positive outlook on our decisions. Americans must know that we respect the privacy of their information and are taking each precaution we can in establishing safe internet communication methods by following advisories designed by the National Institute of Standards and Technology (NIST), funding research efforts, and requiring breach notifications so that any loss of their data will be reported. As an act of faith, we can increase financial funding to support private sector cyber security issues. This will allow for greater access to security tools, training efforts for personnel, and encourage information sharing between private sector professionals and government representatives. Stakeholders FBI DISA Department of Treasury NIST Congress Attorney General's Office Department of Homeland Security Critical to every cybersecurity strategy is identification of all stakeholders. In the event of a cyber breach, or often just a cyberattack, certain stakeholders require notification. As you review each round of activity, create a spreadsheet or table with your team that lists stakeholders to be notified. Include this in your AAR. Retain notes on the control decisions from each round, in addition to the CISO Debrief Report, as you move to the next step of stakeholder identification. Round One of the simulation is complete. All five teams faced the following scenarios: Criminal Hacking and Economic Downturn. Round Federal Government Avisitel DTL Power Mistral Bank Hytema Criminal Hacking Economic Downturn Here is how the teams performed after Round One: In terms of overall Index Score, Hytema and Mistral were tied for the best performance followed close behind by the Federal Government. Downtime and Profitability are areas to watch closely for the private sector players. The Federal Government should focus on ways to improve Popular Sentiment and Surplus (Budget) moving forward. R/ Prof G. Student Name: Mitsuko Brown | Role: Cyber Security Policy Analyst Category Decisions Round 1 Antivirus Policy Quality of antivirus solution used State-of-the-art Frequency of scans Multiple times per day Frequency of patch updates Always once released Authorized Software Policy Type of software permitted for use by employees Approved software Software evaluation frequency in months 6 Violation penalties Focus on termination Breach Notification Policy Degree of openness of breach notification Only critical incidents Investigative agencies to call in for major security breaches CERT Violation penalties Focus on termination Emergency Bypass Policy Spending on emergency bypass policy $ 125,000 Response to violations of typical separation of duties protocol Not allowed Violation penalties Focus on suspensions General Access Policies Degree of freedom given to employees regarding communications over the Internet Restricted Degree of freedom over browsing non-business sites Restricted Degree of logging of Internet access and other system actions and accesses All actions Number of permitted login attempts 3 Password validity in days 45 Password length requirements 8 Non-use of prior passwords 3 Violation penalties Focus on warnings Hiring and Employee Policy IT team size Average Full-time employees as a percentage of the workforce 0.9 Hiring by average experience in years 7 Spending on background check of DSS or other vendors $ 15,000 Forced rotation of employees Enable Forced vacation for employees Enable Information Sharing Policy No. of people in groups to overlook and enforce internal information sharing 4 Internal information sharing by role-based access control Strictly need-to-know Degree of external information sharing Strictly need-to-know Frequency of disclosure for Infragard communication in days 14 days Violation penalties Suspensions Remote Access Policy Degree of remote access by employee grade Middle management Access privileges permitted Medium - read/write Violation penalties Focus on termination Rounds Rationale Round 1 Strong antivirus solution is critical for protecting federal government information assets especially when cyber threat impact probability is high and the impact of a cyber breach is very high. The US Government will enforce strong password requirements with MFA. 45 day password changes are sufficient with strong password requirements. The security demands of the US Government require more monitoring than other entities less targeted by hackers Student Name: Esi FYNN-AIKINS | Role: Chief Information Security Officer Category Decisions Round 1 Business Continuity Planning Degree of IT data storage redundancy Low Degree of IT network redundancy High Levels of power backup redundancy 2 Number of backup sites 1 Number of redundant backup communication links 3 Policy review frequency in months 6 Database Security Frequency of forcing password changes in days 90 Degree of separation of roles for admin and operator roles Complete Control privileges Restricted OS services and associated ports Disable Database honeypots Enable External Collaboration Degree of collaboration with allies and Interpol High Federal Government Information Classification Strictness of cybersecurity information classification Top secret/SCI Information Privacy Policy Privacy program investment spending $ 250,000 Appoint a dedicated privacy officer Yes Privacy training spending for employees $ 400,000 Degree of information and record retention All information Violation penalties Focus on suspensions Role Based Access Control Degree of role-based access control High Training and Auditing Focus on training area: network vulnerabilities 35% Focus on training area: controls 25% Focus on training area: encryption 30% Focus on training area: penetration testing 10% Frequency of physical audits of the equipment Once a year Rounds Rationale Round 1 Increased data redundancy can eat up server storage space. Redundancy will be low and done intentionally. A high network redundancy will minimize the chances of errors, damage, or shutdowns. A medium-power backup akin to a 2N system will still keep things up and running. It is better to have more redundant backup communication links is essential to ensure effective alternative communication. One offsite backup site is enough for storing data needed in the event of a breach. Critical functions should be reviewed and updated every 6 months to help resume operations quickly after an incident. Role separation stops an attacker using access control. 90 days password change policy limits an attacker's stay inside a hacked account. Enabling honeypots will lure and deflect attackers at the same time to learn their techniques. OSes must be hardened in this instance. Privacy program cost includes cost for a response management tool, estimated incidents per year, cost for time spent on the incident intake and assessment, reporting cost and internal and outside counsel costs. Employees who violate privacy policy will be suspended pending investigation. Cost for training 115 employees in 10 regional offices at an average cost of $390. More focus should be on assessing vulnerabilities, encrypting data, and providing controls. Auditing equipment once a year will reduce cost involved in the audit but still meet requirements for certification. Student Name: Mfonobong Noah | Role: General counsel Category Decisions Round 1 Advisories NSA security configuration guide creation spending $ 25,000 NIST library funding $ 500,000 CERT Controls CERT funding $ 1,250,000 Frequency of automated advisories in days 10 Experience of CERT responders in years 2 Training allocation funding $ 1,250,000 Vulnerability database maintenance funding $ 500,000 ISACs Funding for the ISAC $ 1,250,000 Training and certification programs funding $ 1,405,000