The assignment needs to be redone due to it not being met to the standard. Original Order #94872
2 Project 3: Enterprise Network Security Snezhana Young University of Maryland Global Campus CST 630 9040 Advanced Cyber Exploitation and Mitigation Methodologies (2218) Dr. Lawrence Awuah November 15, 2021 Executive Summary This report focuses on cybersecurity management during the merger and acquisition of a data streaming company. Our main aim is to understand information system integration with cybersecurity, considering the risks through vulnerabilities and their impact. The aspects of M&A being prone to inevitable cyberattacks and actions to prevent them are discussed. The policy gap analysis is described in detail as relevant to the industry standards. The laws and regulations are outlined with PCI DSS standards explaining the implementation of controls and the change in the existing network. The technical vulnerabilities associated with the protocols of the streaming services in the company network are discussed, along with their mitigation steps. The network is assessed with firewalls and DMZ. The existing policies for wireless and Bring Your Own Device are discussed, and those required to be established after the acquisition are included in the later section. A data protection plan is outlined to clearly explain to the management authorities the importance of the plan and the benefits it will bring to the streaming data. The supply chain risks and measures to reduce them are included, and a Patch and Vulnerability management program is proposed, highlighting its importance with costs involved. Lastly, the importance of employees and employee training during and post-M&A is discussed. People are the most substantial assets and weakest link for any company. Therefore, they should acquire proper knowledge about the privacy and protection of the organization's data. In addition, the managers need to understand the significant benefits of training the employees after the acquisition. Cyberattack on M&A and Mitigation Companies undergoing mergers and acquisitions are more prone to cyberattacks. It fuels significant opportunities for cybercriminals. It is crucial to understand the risks present during the M&A process since each deal holds its nuances and entails new risks such as advanced attackers, well-versed corporate espionage techniques, and stand to profit. Hiring activities may indicate the possibility if M&A and the criminals target the hiring executives with spear-phishing attacks. Change in marketing behavior of companies going through M&A may lead to layoffs, and the employees who lose jobs may leak information. Lack of social media policies, BYOD, and mobile device management may lead to data being leaked inadvertently. Executives need to be vigilant during negotiations, announcements, and signing activities as cybercriminals attempt to cause disruptions. (Picardo, 2021). It is essential to maintain vigilance at all stages of the M&A process. Sensitive information needs to be secured since any data loss is a threat to the organization and an opportunity for attackers. Vulnerabilities, unintentional clues, and individual behavior can offer the opportunity to attackers. The enterprises with insights into managing these issues can understand the threats and take actions to mitigate them. The actions involve: · M&A initial screening- Legal and regulatory compliance of the target company should be identified. Inherent business risks of acquiring a company should be identified. A detailed risk assessment should be performed on the target company to understand its current information security and privacy risks. This will identify indicators of risks based on publicly available information. · Pre-announcement of signing the deal- Integration should be aligned with the acquisition strategy. RACI matrix should be formulated for information security activities based on integration like a full, hybrid, or soft. Active threat and penetration testing should be made. Target company's processes and procedures should be reviewed to ensure that it remains aligned with the acquiring company's security requirements. · Signing to integration- This stage requires monitoring of risk levels by establishing Key Risk Factors for compliance. Vulnerabilities identified in previous steps should be remediated, and guidelines for re-assessment should be established. A governance model should be established for ongoing compliance. During integration, the information security resources of the target company should be onboarded with the acquiring company's information security. It is essential to keep the M&A confidential in order to prevent information leaks. Advisors, lawyers, and team members have confidential information. They are bound with confidentiality rules under laws and codes of ethics, and consequences of violation are severe. Confidentiality should be maintained through control of the flow of information. For example, every transaction would be conducted through an online virtual room where documents are posted. These services available freely online may lead to security issues or vulnerabilities, causing data loss. In addition, post-merger organizations may choose to fully integrate back-office operations and consolidate data stores to drive value. This requires a more comprehensive assessment of cyber security strategy, including a new cyber risk profile and security controls consistent with new operational demands. Therefore, to avoid any issues post-merger acquisition, it is essential to review the security policies to make them fall into place with the new policies (Picardo, 2021). Security Policy Gap Analysis This analysis shall involve an in-depth review so that the company can determine the difference between the current state of its information security and the security policies that should be inducted after the M&A. This analysis shall help us to understand the status of cybersecurity risks and vulnerabilities in the organization so that they can be worked upon to improve the security. The analysis can be done by following a sequence of steps mentioned below (Aman, 2021). 1. The organization should select an industry-standard security framework. This will establish a baseline of practices against which the practices of the company can be measured. In addition, the standards should be chosen that provide best practices on information security management, covering security areas such as access control, assessment, etc. Cybersecurity platforms are also suitable for determining gaps in the network and gathering data on IT infrastructure, organizational charts, policies, processes, and application inventory. 2. The employees and processes should be evaluated. Many of the risks and breaches are associated with intervention by insiders. The key employees should answer questions to ensure that the network is safely used, security controls are in place, and correct information security analysis is executed. For example, do they provide training to other employees to keep them updated about threats, are there back out the procedure in case of problems, how is the access handled for new hires and terminations, etc. 3. Data collection should be done to understand the effectiveness of the existing security program. The company's controls are compared with best practices during the collection of data. The existing security process will be assessed for its success with those that are already proven successful. Data collection shall provide a complete view of the company's technical environment, its security measures, and its effectiveness. 4. An analysis security program should be thus performed, and an IT security profile should be made, identifying the strengths and weaknesses where improvements are needed. Finally, a complete plan should cover cyber risks, budget, staffing, and timeframes to improve security. PCI-DSS Requirements Requirement 1: Installation & Maintenance of Firewall Configuration A secure network should be ensured and maintained within which the transactions are conducted. This requirement shall involve the utilization of robust and effective firewalls which do not cause inconvenience to vendors or cardholders. Specialized firewalls that are available for wireless LANs are vulnerable to eavesdropping and attacks. Authentication data with passwords and personal identification numbers should refrain from using defaults given by vendors. Firewall shall control traffic allowed in and out of the company's network. It will control the traffic that accesses sensitive areas of the internal network of the company. Other system components may have firewall functionality to offer network security. All the networking devices used to establish the network within the cardholder environment shall be considered in the scope of assessment of the PCI DSS requirement (Rane, 2020). In M&A, configurations are subject to change, and establishing and formalizing firewall and router configuration standards is essential. All connections should be identified between the cardholder data environment and networks. Business justification and technical settings for implementations should be documented with all cardholder data flow across the systems and networks. A review of configuration rule sets should be stipulated regularly. All inbound and outbound traffic from untrusted networks and hosts should be restricted through firewalls and router configurations. All traffic should be denied explicitly except protocols required for the cardholder environment. Direct public access should be strictly prohibited between the internet and system components in a cardholder environment. Personal firewalls or software of equivalent functionality should be installed on all devices that connect to the internet from outside the network to access the cardholder data environment. Security policies and operational procedures should be known to all stakeholders and remain in use and appropriately documented. Requirement 8: Identify and Authenticate Access to System Components This requirement shall apply to all accounts with administrative capabilities and those with access to stored cardholder data. Requirements are exempted for accounts used by consumers. It is essential to assign a unique identification to each account with access so that actions on critical data and systems to authorized users. User identification management for users and administrators on all system devices and components should be ensured by defining and implementing policies and procedures. All users should be assigned a user name before accessing the system or cardholder data. User authentication should be devised using the password, passphrase, a smart card or token device, or a biometric. These authentication passwords should be encrypted and non-readable during transmission and storage using robust authentication methods. Multifactor authentication should be used to secure non-console administrative as well as remote access to cardholder data. This requirement applies to administrative individuals with non-console access to CDE from within the company network and those with remote access from outside the network. Multifactor authentication shall involve more than one method of authentication such as password with biometric, etc. However, using one method twice does not constitute multifactor authentication. Authentication policies and procedures should be developed, implemented, and communicated to all users. Authentication methods like group or generic IDs should be prohibited. Service providers should use unique authentication credentials. An individual account should manage authentication mechanisms such as physical security tokens, certificates, and smart cards. Access to a database with cardholder data should be restricted. Users should be allowed access through programmatic methods, and direct access should only be allowed to administrators. The only application should be strictly allowed to use application IDs for database applications. All the related policies and operational procedures should be known to users and documented (Rane, 2020). Streaming Services Protocols Companies with streaming services offer live broadcasting of video content that requires much technology to work behind the scenes. This service requires streaming protocols that make the streaming live video possible. HTTP Live Streaming Protocol (HLS) uses HTTP servers and is adaptive to bitrate protocol. Real-Time Streaming Protocol (RTSP) establishes and controls single stream or several time-synchronized