Using theUnit VI Student worksheet, conduct Internet research, and complete the worksheet as outlined in the directions. This assignment builds upon your previous unit assignments; therefore, the mitigation identification should be based on your previous choice of industries: aerospace, healthcare, or government agencies.
Please download the worksheet as you will need to answer the questions and provide screenshots. Once completed, you will submit the worksheet for grading.
The worksheet will be added to your outline to produce a completed project at the end of the course. APA formatting is not necessary.
Student Name: You must complete all three exercises. Exercise 1: NVD NIST Website Visit the NVD NIST website. Locate the National Vulnerability Database (NVD) menu, click the menu, and then navigate to Search. Click on the Vulnerabilities – CVE box. In the Keyword Search box, type in Firewall, check both boxes to the right that start with US-CERT, and click Search. On that page, you will then scroll down until you locate the CVE that deals with Juniper ScreenOS 6.2.0r15 in reference to (1) SSH or (2) TELNET session. Requirement: 1. Identify what the CVE complete number is for example CVE-xxxx-xxxx. Type your answer here: 2. Provide a screenshot of the Impact of the CVE below: 3. You will click on the CVE number and scroll down until you reach References to Advisories, Solutions, and Tools. You will then locate the Exploit and Vendor Advisory hyperlink. Enter the link here that you used: 4. Click on the link you selected, and provide a screenshot of the Solution and Workaround below: Exercise 2: Details Website Visit the CVE Details website. Navigate to View CVE box and type in the following: CVE-2015-7755. Then you will click View CVE. Requirement: 1. Provide a screenshot of the CVSS Scores & Vulnerability Types below: Exercise 3: CWE Website Visit the CWE website, Navigate to the Search box under Search CWE and type CWE-287. Then hit Enter. Requirements: 1. After hitting the enter key to search for CWE-287, the search provided a lot of listings. Which link within the search results did you click on? Type in your answer here: 2. What was the main title for CWE-287? Type in your answer here: 3. Provide a screenshot of the Potential Mitigations below: 4. What is the relationship between CWE-287 and CVE-2015-7755? Type your answer here: SUMMARY Provide a short summary of what you have learned about researching for mitigation fixes for a vulnerability. Type your answer here: Unit SEC 4320, IS Security Capstone 1 Course Learning Outcomes for Unit VI Upon completion of this unit, students should be able to: 1. Compile a vulnerability assessment using the current security posture. 1.1 Explore the Common Vulnerabilities and Exposures (CVE) end item through the CVE online databases. 5. Construct preventative measures to ensure critical assets are secure. 5.1 Examine the mitigation data for the Common Vulnerabilities and Exposures (CVE) end item. Course/Unit Learning Outcomes Learning Activity 1.1 Unit Lesson Article: “Correlated Failures, Diversification, and Information Security Risk Management” Article: “Addressing Information Security Risks by Adopting Standards” Unit VI Assignment 5.1 Unit Lesson Video: Risk and How to Use a Risk Matrix Video: Project Risk Management: Plotting and Managing Risk in Projects Unit VI Assignment Required Unit Resources In order to access the following resources, click the links below. Chen, P.-Y., Kataria, G., & Krishnan, R. (2011, June). Correlated failures, diversification, and information security risk management. MIS Quarterly, 35(2), 397–422, A1–A2. http://web.a.ebscohost.com.libraryresources.columbiasouthern.edu/ehost/detail/detail?vid=0&sid=9cf 7793f-47b0-4dfe-b7ab- 2cdb8cd5a386%40sessionmgr4006&bdata=JnNpdGU9ZWhvc3QtbGl2ZSZzY29wZT1zaXRl#AN=604 61891&db=bsu In order to access the following article, you may have to download the file. Al-Ahmad, W., & Mohammad, B. (2013). Addressing information security risks by adopting standards. International Journal of Information Security Science, 2(2), 28–43. https://www.ijiss.org/ijiss/index.php/ijiss/article/view/20/pdf_5 Transcripts and closed captioning are available once you access the videos below. Let’s Learn Public Health. (2018, June 8). Risk and how to use a risk matrix [Video]. YouTube. https://c24.page/r9wwdau3tjcugdfd9c4uwu82be Project Management Videos. (2012, January 24). Project risk management: Plotting and managing risk in projects [Video].YouTube. https://c24.page/rj4guyhqbuwnh6a275987jyr7x UNIT VI STUDY GUIDE IT Risk and Mitigation https://libraryresources.columbiasouthern.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=bsu&AN=60461891&site=ehost-live&scope=site https://libraryresources.columbiasouthern.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=bsu&AN=60461891&site=ehost-live&scope=site https://www.ijiss.org/ijiss/index.php/ijiss/article/view/20/pdf_5 Risk%20and%20how%20to%20use%20a%20risk%20matrix%20%5bVideo%5d https://c24.page/rj4guyhqbuwnh6a275987jyr7x https://c24.page/rj4guyhqbuwnh6a275987jyr7x SEC 4320, IS Security Capstone 2 UNIT x STUDY GUIDE Title Unit Lesson In Unit II, we looked at risks from the point of view of a vendor and learned that we, as security professionals, need the risks to be identified in a checklist. This checklist is known as the Vendor Assessment Checklist in which risks are prioritized, and then the proactive measures that should be taken to address these risks are identified. The security framework, as addressed in Unit III, allows the security professional to determine which framework should be used to protect critical control identifiers as well determine whether the risk(s) should be identified as low, medium, or high. A gap analysis was used in the event that the security baseline and/or other security controls did not meet the security requirements to protect the risk. Risk management was covered in Unit IV in which a risk assessment matrix was created after deploying the Microsoft Baseline Security Analyzer (MBSA) to determine vulnerability within a computer system. This matrix is a decision-making tool for management to determine what risk(s) the organization is willing to accept or ignore. It is important that the risk assessment matrix is complete and accurate. In Unit V, the Center for Internet Security (CIS) Critical Security Controls (CSC), which introduces the different categories of controls in which the security professional can map the results from the risk assessment matrix, was discussed. The result of this mapping includes which CSC should be implemented first by the organization and what, if any, policies or security documents need to be created or updated based on the CSC. Cyber risk today is very volatile. Not only does this risk affect information technology assets, it also greatly affects the financial burden the organization must carry as a result of cyber threats. An organization’s cyber risk(s) share the same importance as the organization’s financial risk(s). As a result, it is important to quantify those cyber risk(s) into what is known today as cyber risk quantification (CRQ). What is cyber risk quantification? Simply put, it involves gathering all the data from checklists, frameworks, gap analyses, critical security controls, risk assessment matrices, and decision-making processes related to security risks in order to demonstrate how failing to mitigate these risks will result in huge financial losses for an organization (Freund, 2018). You have probably heard the phrase “lowest bidder wins,” and of course, this means that there is a big risk that the product will fail. The same goes when an organization begins to budget for the short-term and long-term. Security usually goes at the bottom of the budgetary requirements. That is because management knows it is costly and is willing to take some acceptable risks. Sometimes, however, the wrong acceptable risks will be costly to the organization. Review the video Quantifying Cyber Risk to learn more. A transcript and closed captioning are available once you access the video. If you remember from Unit IV, the Microsoft Baseline Security Analyzer (MBSA) was used to scan for vulnerabilities within your system(s). From the score results in the scan report, you prioritized the vulnerabilities and created a low, medium, and high risk assessment matrix, and you explained the preventive measures you would take. How we mitigate (fix) the vulnerabilities are shown by the How to correct this link, which is displayed just below each vulnerability as evidenced in Figure 1 below. https://c24.page/7536vbeuz7gw37z54gckkdafk SEC 4320, IS Security Capstone 3 UNIT x STUDY GUIDE Title When you click How to correct this, you will find the following recommendation as seen in Figure 2 below. Figure 1: MBSA Scan Report Details SEC 4320, IS Security Capstone 4 UNIT x STUDY GUIDE Title The above example from How to correct this tells the security professional the steps necessary to mitigate the vulnerability. Sometimes, other resources are provided in the Additional Information area of the recommendation document. The MBSA is a personal scanner and will be able to address those vulnerabilities and help you determine how to mitigate those risks found on your system. What about other organizations in the private, government, or academic sectors? Of course, these organizations will be using more sophisticated vulnerability scanners. However, all vulnerability scanners will provide the same report that explains the vulnerabilities and how to mitigate them. What about those vulnerabilities that do not offer recommendations about how to fix the vulnerabilities? What if you need additional information about the vulnerability? The National Institute of Standards and Technology (NIST) has a database of vulnerability fixes called the National Vulnerability Database. The CVE Details website also has information that a security professional can use to find mitigations for vulnerabilities. Learn more about this website in the video Common Vulnerabilities and Exposures DataSource. A transcript and closed captioning are available once you access the video. On each of the websites mentioned above, you will find vulnerabilities associated with the CVE numbering system. This is known as the Common Vulnerabilities and Exposures, followed by year and number assigned to a specific vulnerability. The Common Weakness Enumeration website is also useful in that it lists software weakness types. These three websites contain a wealth of information about how to mitigate vulnerabilities that have been encountered globally. Also note that not all risks or vulnerabilities are found by just scanning information technology assets. Such risks can occur due to outdated security documentation or procedures, such as an old authorized use policy or outdated knowledge of which personnel can access buildings or IT assets. For every vulnerability found, there is a mitigation (fix) or a workaround that can either totally eliminate the risk or at least reduce the risk to a manageable level. As a security professional, it is important that you provide a Figure 2: MBSA Sample Recommendation https://nvd.nist.gov/ https://www.cvedetails.com/ https://www.cvedetails.com/ https://c24.page/yzezbvzjkg768n4k34bjrehrx6 https://cwe.mitre.org/ SEC 4320, IS Security Capstone 5 UNIT x STUDY GUIDE Title complete and accurate security assessment report. Recommendations made about risks and vulnerabilities will be critical to the decision-making