To begin this assignment, review the prompt and grading rubric in the Module Two Short Response Guidelines and Rubric. You will be working through Breach Analysis Simulation Scenario One PPT, or its text-based alternative PDF, which is an interactive scenario that you will use to address questions in the prompt. When you have finished your work, submit the assignment here for grading and instructor feedback.
CYB 250 Module Two Short Response Guidelines and Rubric
Overview
In cybersecurity, data protec�on should be the first priority. There are two basic concepts: data at rest and data in transit. Each version of data is protected slightly differently. It may be
sufficient to protect data at rest with some type of encryp�on that is difficult to crack over a long period of �me, while the data in transit only needs to be protected un�l it gets past the
en�ty that is trying to decipher it. In either case, it is important to know what to do when a breach or incident occurs. Having a strong computer incident response team (CIRT) is a valuable
resource for any company. The premise behind incident response is to iden�fy an a�ack, contain and eradicate its effects, and minimize the risk of incident recurrence.
What is the shortest amount of �me it can take to restore the system to a safe state? The shortest amount of �me might not be the most cost-effec�ve. Therefore, the company must
priori�ze its ac�ons and make sure that in trying to fix the cyber incident, it doesn’t cause the company more harm. There are many incidents and ac�ons that the CIRT needs to be ready for,
so having a highly defined and well-prac�ced incident response plan is important for the company’s well-being. Having the proper resources, whether they are personnel or informa�on
technology related, can play a role in how fast the company recovers from the incident. Being prepared for the worst possible cases, having a strong understanding of the influences of the
confiden�ality, integrity, and availability (CIA) triad, and knowing how the company will react to those situa�ons could mean the difference between company survival or deeper
consequences, such as company closure. Having the proper CIRT is about having the right people for the job. This does not mean that all of senior management needs to be on the CIRT. This
does mean that the company must figure out what the proper makeup of the team should be. The team members must be knowledgeable in their roles as they need to be sure that the
decisions they make are in the best interests of the company.
Prompt
A�er reviewing Breach Analysis Simula�on Scenario One, address the cri�cal elements below:
I. Reflec�on on CIA and Data Protec�on
A. Select a tenet of the CIA triad and explain how the principle applies to the scenario. Jus�fy your response with details or examples from the scenario.
B. Explain the issues with Secure Sockets Layer (SSL) that facilitated its depreca�on and how Transport Layer Security (TLS) remedies those issues.
II. Incident Response Plan
A. In small organiza�ons, there typically isn’t a large membership to form the CIRT. Explain how organiza�ons with a small IT department ensure that the CIRT is prepared to handle
all possible situa�ons.
What to Submit
Your submission should be 1 to 2 pages in length. Use double spacing, 12-point Times New Roman font, and one-inch margins. All sources must be cited using APA format. Use a file name
that includes the course code, the assignment �tle, and your name—for example, CYB_123_Assignment_Firstname_Lastname.docx.
11/5/24, 11:04 AM Assignment Information
https://learn.snhu.edu/d2l/le/content/1748997/viewContent/36623161/View 1/2
Module Two Short Response Rubric
Criteria Exemplary (100%) Proficient (85%) Needs Improvement (55%) Not Evident (0%) Value
Reflec�on on CIA and Data
Protec�on: Tenet of CIA
Triad
Meets “Proficient” criteria and
addresses cri�cal element in an
excep�onally clear, insigh�ul,
sophis�cated, or crea�ve
manner
Selects a tenet of the CIA triad
and explains how the principle
applies to the scenario,
including details or examples
from the scenario
Addresses “Proficient” criteria,
but there are gaps in clarity,
logic, or detail
Does not address cri�cal
element, or response is
irrelevant
30
Reflec�on on CIA and Data
Protec�on: Issues with SSL
Meets “Proficient” criteria and
addresses cri�cal element in an
excep�onally clear, insigh�ul,
sophis�cated, or crea�ve
manner
Explains the issues with SSL
that facilitated its depreca�on
and how TLS remedies those
issues
Addresses “Proficient” criteria,
but there are gaps in clarity,
logic, or detail
Does not address cri�cal
element, or response is
irrelevant
30
Incident Response Plan:
Form the CIRT
Meets “Proficient” criteria and
addresses cri�cal element in an
excep�onally clear, insigh�ul,
sophis�cated, or crea�ve
manner
Explains how organiza�ons
with a small IT department
ensure that the CIRT is
prepared to handle all possible
situa�ons
Addresses “Proficient” criteria,
but there are gaps in clarity,
logic, or detail
Does not address cri�cal
element, or response is
irrelevant
30
Ar�cula�on of Response Submission is free of errors
related to cita�ons, grammar,
spelling, and organiza�on and
is presented in a professional
and easy-to-read format
Submission has no major errors
related to cita�ons, grammar,
spelling, or organiza�on
Submission has some errors
related to cita�ons, grammar,
spelling, or organiza�on that
nega�vely impact readability
and ar�cula�on of main ideas
Submission has cri�cal errors
related to cita�ons, grammar,
spelling, or organiza�on that
prevent understanding of ideas
10
Total: 100%
11/5/24, 11:04 AM Assignment Information
https://learn.snhu.edu/d2l/le/content/1748997/viewContent/36623161/View 2/2
,
Published by Articulate® Storyline www.articulate.com
CYB 250 Module Two Short Response Text Version Breach Analysis Simulation
Scenario One Breach Analysis Simulation Introduction
Read through the following scenario. You will then be asked to make choices based on your experience as a security analyst. While there is a best path through the simulation, many of the other options are viable. You are encouraged to explore all of the options to enhance your knowledge and to prepare you for future breaches. The purpose of this simulation is to develop your systems thinking mindset and mature your cyber defense strategies.
Published by Articulate® Storyline www.articulate.com
Breach Analysis Simulation: Scenario One
You are a security analyst working for a company that provides an e-commerce website. Over the last year, you have had discussions with your supervisor about updates to the systems, including a transition to Transport Layer Security (TLS) from Secure Sockets Layer (SSL). The changes have not been implemented due to budgetary constraints. While performing file system maintenance, you notice low disk quota on the web server. 1. Challenge One 1.1 Challenge One
What is this low disk quota? This is odd; last audit, there was sufficient space. Normal business operations wouldn’t cause this. What should you do next? Below are the possible answers:
● Try to diagnose the source of the breach ● Consult the incident response plan ● Notify your supervisor
Published by Articulate® Storyline www.articulate.com
1.2 Try to diagnose the source of the breach
Good thought, but beware! Breaches are complex issues. Many additional obligations beyond solving the breach need to be addressed. For instance, evidence gathering must be considered, and communications to stakeholders must be drafted. Finding the source of the breach may be time-consuming; consequently, other entities can be working on remediation actions during this time. Try selecting a different response. 1.3 Consult the incident response plan
Although technically this response is the correct process, all employees should know that alerting their supervisor is the first step; this results in faster action in initiating the proper response. When you consult the incident response plan, it directs you to immediately contact your supervisor. Where should the incident response plan be located? Below are the possible answers:
● Stored digitally on the network ● Each employee should have a hard copy at his/her desk ● Printed out and stored in one specific location
Published by Articulate® Storyline www.articulate.com
1.3.1 Stored digitally on the network
No, this is not the ideal selection because the network could be compromised or otherwise inaccessible. Try selecting a different response. 1.3.2 Each employee should have a hard copy at his/her desk
Not quite! Although organizations might choose to do this, it represents an overuse of resources and creates potential issues related to the frequent updating necessary to this document. Try selecting a different response.
Published by Articulate® Storyline www.articulate.com
1.3.3 Printed out and stored in one specific location
Correct! This is standard practice; a single hard copy that is always up to date with the most current actions prevents issues. It is important to ensure that all individuals are notified when updates to this document occur. Now that you have determined where the incident response plan should be located, return to Challenge One and try selecting a different response. 1.4 Notify your supervisor
Correct! As an analyst, you need to contact your supervisor, who will contact the computer incident response team and mobilize the appropriate personnel to remedy the situation.
Published by Articulate® Storyline www.articulate.com
2. Challenge Two 2.1 Challenge Two: Dialogue with Supervisor
Supervisor: “There do appear to be irregularities with the network. I would like you to do some investigating and find evidence to support your concerns about a breach.” Where should you look first to try to find evidence of the breach? Below are the possible answers:
● Look for irregularities in the active directory ● Analyze access control logs ● Look at the files on the web server
2.2 Analyze access control logs
Looking at access control logs can be a good start when trying to identify who accessed which areas of the network. However, this is a time-consuming process, and if the hacker is experienced, it may be difficult to determine whether unauthorized individuals accessed parts of the network they weren’t supposed to. After review of the access control logs, no evidence of a breach was found here. Try selecting a different response.
Published by Articulate® Storyline www.articulate.com
2.3 Look for irregularities in the active directory
A goal of hackers is to establish a presence in the network. From this presence, hackers look to escalate privilege to gain access to information on the system or network and hide their activity within the network. Looking for irregularities is a good foundational step in trying to identify rogue activity on a network. In this case, there was no clear evidence that the attack progressed past the initial access to the network. This choice is something to keep in mind if irregularities of individual performances occur on the network. Try selecting a different response. 2.4 Look at the files on the web server
Correct! Looking at the files on the web server has uncovered the presence of rogue or unauthorized files. Hackers typically test the waters by trying to upload files to web servers. They are trying to discover whether or not they can infiltrate your system. If successful, hackers would try to exploit this vulnerability and look to secure their presence in the network through the web server. For this challenge, all three choices are viable, but checking for rogue or unauthorized files can be one of the fastest methods of detecting an attack.
Published by Articulate® Storyline www.articulate.com
3. Challenge Three 3.1 Challenge Three: Conversation with Supervisor
Supervisor: “Good work on identifying the issues with rogue files on the network. It appears that the attacker was able to place the files on the network because of the weak SSL encryption. Moving forward, we have reevaluated the budget and made the transition to TLS a priority. But we need to complete some steps before moving to TLS.” 3.2 Challenge Three: Conversation with Supervisor, Continued
Supervisor: “What do you think is the most important step to be sure we are ready to transition to TLS?” Below are the possible answers:
● “Hardware. I think we need to ensure that processors, RAM, network media (gigabit ethernet or fiber optic), network peripherals, and servers are capable and up to the task. Processing time becomes a consideration when implementing TLS because cyphers can take time to process so you may experience a degradation of your network and lag time. We want to make sure that our communication infrastructure can handle the
Published by Articulate® Storyline www.articulate.com
bandwidth and our network peripherals are as up to date as possible. We will also want to assess the health of our servers and server operating systems.”
● “Desktop and server software. I think we need to perform a health check for the local machines and take an inventory of other information systems as a first step. The communication between software across the organization is complex, and we need to ensure that everything works and is thoroughly tested. The last thing we want is to lose availability of the network because of software upgrades. Another factor with software is the cost of licensing both desktop and server software. This can be a big consideration as we plan the transition to TLS.”
● “Personnel: Implementing TLS requires personnel who are trained in the technical complexities required to complete this task. These personnel need to know why implementing TLS is important and also how to implement it.”
3.3 Desktop and server software
Supervisor: “Great point! While software considerations are important, I think they are secondary to hardware considerations because hardware is the first major component we will focus on when upgrading to TLS. We need the underlying infrastructure in place before making the move. Hardware upgrades have their own challenges and need to be completed first. Software is an important consideration because, once the right infrastructure is in place, the correct software is also required for TLS implementation.” Try selecting a different response.
Published by Articulate® Storyline www.articulate.com
3.4 Personnel
Supervisor: “Great point! While having the right personnel is key, I would argue that this is the third priority of the choices provided. Having the right personnel is an important consideration, along with being able to identify the right skill set needed, but having the proper infrastructure in place is the most important consideration.” Try selecting a different response. 3.5 Hardware
Supervisor: “I agree! This should be our highest priority consideration when transitioning to TLS. While it is important to take hardware, software, and personnel into consideration, hardware is the most important because having the infrastructure to run TLS is essential.”
Published by Articulate® Storyline www.articulate.com
Challenge Review
Your previous suspicions were aligned with what the incident response team discovered during its investigation. Your initial step of notifying your supervisor was key to having a timely response to the incident. The incident response team agreed that migrating from SSL to TLS is a part of the solution. 4. Challenge Four 4.1 Challenge Four
Supervisor: “Thanks for all of your help in identifying the breach and making recommendations for the remediation! We have successfully implemented TLS, and SSL has been removed from the system. Moving forward, what are your thoughts on what happens now that the upgrade has been implemented?” Below are the possible answers:
● “We can continue business as usual because updates have been made and vulnerability has been remediated.”
● “We should reevaluate security policies.” ● “We should conduct a security audit.”
Published by Articulate® Storyline www.articulate.com
4.2 “We can continue business as usual because updates have been made and vulnerability has been remediated.”
Supervisor: “I disagree. While we may be tempted to continue business as usual after implementing updates to remediate a vulnerability, it is really important to conduct a security audit to uncover any unintended consequences of those updates and to reevaluate our system health.” Try selecting a different response. 4.3 “We should reevaluate security policies.”
Supervisor: “Great point! This is an important step in implementing new solutions, but I think that conducting a security audit should be our first priority because we could uncover unintended consequences from the changes.” Try selecting a different response.
Published by Articulate® Storyline www.articulate.com
4.4 “We should conduct a security audit.”
Supervisor: “I agree! Conducting a security audit should be our first priority. By conducting the security audit, we will perform an evaluation of all systems, which may uncover other issues from implementation of the vulnerability remediation.” Breach Analysis Simulation Scenario One Summary
Nice work! This activity is meant to enhance your knowledge about managing a breach by exploring choices that you could make during a given scenario. It is important that during a breach you remain calm and stick to the incident response plan. The knowledge gained from this assignment will help you to form a baseline of cyber defense strategies and your systems thinking mindset.
