Scenario: Threats and Vulnerabilities in Aaru Inc.

Aaru Inc. is a small to medium sized technology company that has 3 locations on the island, the first being Treasure Beach, St. Elizabeth. It was established in early 2010 and provides software solutions to its clientele. The company, over the last 5 years grew and added additional office spaces, the second office in nearby Manchester and a further one in St. Ann.

All the offices have ALL their Information Systems needs serviced by a data centre facility hosted by a local service provider. This is the only instance of their IT infrastructure. Aaru Inc. is seeking to expand their portfolio to include IT consultancy, AI systems, network infrastructure design and security, software testing & quality assurance, and data analytics.

Aaru is comprised mainly of employees that have been there since its inception, except for the recently hired CISO. It is to be noted however that there is little to no formal documentation of the network by the heads of departments due to the employees being legacy personnel.

Tasha Simmonds is the CEO of Aaru Inc. She started the company in partnership with a friend who is a silent investor and plays no meaningful role in the day-to-day operations of the business.

Mr. Phillips is an old engineer but has no modern technical understanding of IT security issues.

Ms. Simmonds has had no problems with IT Security until very recently when the companys network was subject to a series of attacks. The company faced multiple attacks such as DDoS, phishing, Zero day exploits and MITM to name a few, as well as having the companys website hacked and defaced with images and videos showing the logo of an underground hacker group with the name Phoenix Foundation. Noting this, a series of emails were sent to customers asking for Personal Identifiable Information (PII) by way of an undetectable virus which constitutes a social engineering attack as well as mission critical data corrupted or missing.

The CEOs IT security risk management concerns are wide ranging. Mr. Phillips needs to ascertain the full details on the attacks and suitable countermeasures that can be implemented. He is also concerned that the attacks may reoccur if the situation is not handled appropriately and quickly.

An initial investigation reveals that one of the attacks was through the Contact Us page on Aarus site. According to the report the hackers used javascript code to exploit a vulnerability in the web application. There is also evidence of a previous disgruntled employee planning for revenge against the company and may have launched a logic bomb on a major company application causing it to crash.

Mr. Philips is also worried about the companys reputation if news of the attacks were to become publicized. After reviewing the work, you had done to provide the preliminary report, you are appointed as the new Chief Information Security Officer (CISO). As a first step, you will review the current threats, analyse the impacts, and create necessary management plans. The CEO has shared a recent audit report to start with and the shocking results are listed below:

Internal Audit Report:

1. General:

o Improper operating procedures used by employees. o Lack of security awareness and general security laziness. o Nil acceptance of security responsibility. o In-adequate standard operating procedures. o Unattended machines. o Failure to take care of media. o Printing sensitive material. o Failure to turn off computers at the end of the working day. o Failure to backup information.

2. Hardware problems:

o Failure to adequately secure the hardware (eg laptops unsecured). o Effects from the physical environment causing damage.

3. Software concerns:

o Some application software is of inferior quality and untested in the field and therefore not able to be trusted in the office environment. o Improper coding practices

o Nil audit logs. o Lack of adequate access control. o Lack of secure identification and authentication techniques. o Limited antivirus software. o Lack of restrictions to specific files when certain applications are operating. o Lack of security awareness and general security laziness.

Tasks:

1. Based on the above scenario, propose an organisation structure of the Information Security team, which is suitable to work for you. Justify your proposal so that you can secure approval from Miss Simmonds the CEO. (Remember you are the CISO.)

a. Deliverables:

i. Organisational Chart

ii. Justification for each role

ii. Job description of each role [5 marks]

2. Propose appropriate Information Security processes and procedures which you will like your team to define. You only need to name those processes and procedures, explain only one process and one procedure in detail. Examples of such security processes is Information Security Incident Management and Information Security Risk Management. An example of such a procedure is Standard Operating Procedure (SOP) for Threats and Vulnerability Assessment (TVA).

a. Deliverables:

i. List of Information Security processes for Aaru

ii. List of Information Security procedures for Aaru

iii. Elaborated Information Security process (only one) of your choice from the list above

iv. Elaborated Information Security procedure (only one) of your choice from the list above [2+2+3+3= 10 marks]

3. Based on the findings of the Audit report, discuss the major risks, and threats the company is facing in the scenario. Your discussion can be categorised under the broad categories of people, process, and technology. [10 marks]

4. Prepare a Risk Register for Aaru (only cover Information Security Risks). The template will be: {Risk ID, Risk description, Risk Probability, Risk Impact, Proposed Mitigation, Risk Ownership, Risk Triggers}.

Notes:

i. Recall that Risk Register is a deliverable of Information Security Risk Management. So, it means that you must plan risk management, and identify, assess*, mitigate, assign owners and triggers to those risks).

*Decide your strategy for assessment: qualitative or quantitative.

ii. Based on the internal audit report, identify the vulnerabilities of Aaru Corp. from Information Security perspective. [5+5=10 marks]

5. Create an Incident Response plan for Aaru. (You may use a template) [15 marks]