Assessing Information System Vulnerabilities and Risk You are an information assurance management officer (IAMO) at an organization of your choosing. One morning, as you’re getting ready f

Project 2 Scenario

Assessing Information System Vulnerabilities and Risk

You are an information assurance management officer (IAMO) at an organization of your choosing. One morning, as you're getting ready for work, you see an email from Karen, your manager. She asks you to come to her office as soon as you get in. When you arrive to your work, you head straight to Karen's office. “Sorry for the impromptu meeting,” she says, “but we have a bit of an emergency. There's been a security breach at the Office of Personnel Management.”

We don't know how this happened, but we need to make sure it doesn't happen again, says Karen. You'll be receiving an email with more information on the security breach. Use this info to assess the information system vulnerabilities of the Office of Personnel Management.

At your desk, you open Karen's email. She's given you an OPM report from the Office of the Inspector General, or OIG. You have studied the OPM OIG report and found that the hackers were able to gain access through compromised credentials. The security breach could have been prevented if the Office of Personnel Management, or OPM, had abided by previous auditing reports and security findings. In addition, access to the databases could have been prevented by implementing various encryption schemas and could have been identified after running regularly scheduled scans of the systems.

Karen and the rest of the leadership team want you to compile your findings into a Security Assessment Report, or SAR. You will also create a Risk Assessment Report, or RAR, in which you identify threats, vulnerabilities, risks, and likelihood of exploitation and suggested remediation.

Project 2 Instructions

The security posture of the information systems infrastructure of an organization should be regularly monitored and assessed (including software, hardware, firmware components, governance policies, and implementation of security controls).

The monitoring and assessment of the infrastructure and its components, policies, and processes should also account for changes and new procurements in order to stay in step with ever-changing information system technologies.

The data breach at the US Office of Personnel Management (OPM) was one of the largest in US government history. It provides a series of lessons learned for other organizations in industry and the public sector. Some failures of security practices, such as lack of diligence with security controls and management of changes to the information systems infrastructure, were cited as contributors to the massive data breach in the OPM Office of the Inspector General's (OIG)  Final Audit Report, which can be found in open-source searches.

Some of the findings in the report include:

· weak authentication mechanisms;

· lack of a plan for life-cycle management of the information systems;

· lack of a configuration management and change management plan;

· lack of inventory of systems, servers, databases, and network devices;

· lack of mature vulnerability scanning tools;

· lack of valid authorizations for many systems; and

· lack of plans of action to remedy the findings of previous audits.

The breach ultimately resulted in removal of OPM's top leadership. The impact of the breach on the livelihoods of millions of people may never be fully known.

There is a critical need for security programs that can assess vulnerabilities and provide mitigations.

In this project, there are eight steps, including a lab, that will help you create your final deliverables. The deliverables for this project are as follows:

1. Security Assessment Report (SAR): This should be an eight- to 10-page double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables, or citations.

2. Risk Assessment Report (RAR): This report should be a five- to six-page double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables, or citations.

Step1: Enterprise Network Diagram

In this project, you will research and learn about types of networks and their secure constructs that may be used in an organization to accomplish the functions of the organization’s mission. 

You will propose a local area network (LAN) and a wide area network (WAN) for the organization, define the systems environment, and incorporate this information in a network diagram. You will discuss the security benefits of your chosen network design.

Read the following resources about some of the computing platforms available for networks and discuss how these platforms could be implemented in your organization:

Common Computing Platforms

Computing platforms have three main components: hardware, the operating system (OS), and applications. The hardware  is the physical equipment/machine that runs the OS and applications. It generally consists of the central processing unit (CPU) or processor, storage, and memory. The operating system (OS) communicates between the hardware and the applications  run by the end user.

Different platforms are used for traditional desktops and laptops and the new touchscreen phones and tablets. Common processors include Intel Core and AMD (for desktops) and ARM (modified by Apple and Qualcomm to make processors for phones). The most popular operating systems for desktops are Windows and Linux, and for phones, are iOS and Android.

Compatible applications are developed for specific systems by different companies, including Microsoft, Apple, Google, and Adobe.

The Hardware Cloud: Utility Computing and Its Cousins

Learning Objectives

1. Distinguish between SaaS and hardware clouds.

2. Provide examples of firms and uses of hardware clouds.

3. Understand the concepts of cloud computing, cloudbursting, and black swan events.

4. Understand the challenges and economics involved in shifting computing hardware to the cloud.

While SaaS provides the software  and hardware to replace an internal information system, sometimes a firm develops its own custom software but wants to pay someone else to run it for them. That’s where hardware clouds, utility computing, and related technologies come in. In this model, a firm replaces computing hardware that it might otherwise run on-site with a service provided by a third party online. While the term utility computing was fashionable a few years back (and old timers claim it shares a lineage with terms like hosted computing or even time sharing), now most in the industry have begun referring to this as an aspect of cloud computing, often referred to as hardware clouds. Computing hardware used in this scenario exists “in the cloud,” meaning somewhere on the Internet. The costs of systems operated in this manner look more like a utility bill—you only pay for the amount of processing, storage, and telecommunications used. Tech research firm Gartner has estimated that 80 percent of corporate tech spending goes toward data center maintenance. J. Rayport, “Cloud Computing Is No Pipe Dream,”  BusinessWeek, December 9, 2008. Hardware-focused cloud computing provides a way for firms to chip away at these costs.

Major players are spending billions building out huge data centers to take all kinds of computing out of the corporate data center and place it in the cloud. While cloud vendors typically host your software on their systems, many of these vendors also offer additional tools to help in creating and hosting apps in the cloud. Salesforce.com offers Force.com, which includes not only a hardware cloud but also several cloud-supporting tools, such as a programming environment (IDE) to write applications specifically tailored for Web-based delivery. Google’s App Engine offers developers several tools, including a database product called Big Table. And Microsoft offers a competing product—Windows Azure that runs the SQL Azure database. These efforts are often described by the phrase platform as a service  (PaaS) since the cloud vendor provides a more complete platform (e.g., hosting hardware, operating system, database, and other software), which clients use to build their own applications.

Another alternative is called infrastructure as a service (IaaS). This is a good alternative for firms that want even more control. In IaaS, clients can select their own operating systems, development environments, underlying applications like databases, or other software packages (i.e., clients, and not cloud vendors, get to pick the platform), while the cloud firm usually manages the infrastructure (providing hardware and networking). IaaS services are offered by a wide variety of firms, including Amazon, Rackspace, Oracle, Dell, HP, and IBM.

Still other cloud computing efforts focus on providing a virtual replacement for operational hardware like storage and backup solutions. These include the cloud-based backup efforts like EMC’s Mozy, and corporate storage services like Amazon’s Simple Storage Solution (S3). Even efforts like Apple’s iCloud that sync user data across devices (phone, multiple desktops) are considered part of the cloud craze. The common theme in all of this is leveraging computing delivered over the Internet to satisfy the computing needs of both users and organizations.

Clouds in Action: A Snapshot of Diverse Efforts

Large, established organizations, small firms and start-ups are all embracing the cloud. The examples below illustrate the wide range of these efforts.

Journalists refer to the  New York Times as, “The Old Gray Lady,” but it turns out that the venerable  paper is a cloud-pioneering whippersnapper. When the  Times decided to make roughly one hundred fifty years of newspaper archives (over fifteen million articles) available over the Internet, it realized that the process of converting scans into searchable PDFs would require more computing power than the firm had available. J. Rayport, “Cloud Computing Is No Pipe Dream,”  Business Week, December 9, 2008. To solve the challenge, a  Times IT staffer simply broke out a credit card and signed up for Amazon’s EC2 cloud computing and S3 cloud storage services. The  Times then started uploading terabytes of information to Amazon, along with a chunk of code to execute the conversion. While anyone can sign up for services online without speaking to a rep, someone from Amazon eventually contacted the  Times to check in after noticing the massive volume of data coming into its systems. Using one hundred of Amazon’s Linux servers, the  Times job took just twenty-four hours to complete. In fact, a coding error in the initial batch forced the paper to rerun the job. Even the blunder was cheap—just two hundred forty dollars in extra processing costs. Says a member of the  Times IT group: “It would have taken a month at our facilities, since we only had a few spare PCs…It was cheap experimentation, and the learning curve isn’t steep.” G. Gruman, “Early Experiments in Cloud Computing,”  InfoWorld, April 7, 2008.

NASDAQ also uses Amazon’s cloud as part of its Market Replay system. The exchange uses Amazon to make terabytes of data available on demand, and uploads an additional thirty to eighty gigabytes every day. Market Reply allows access through an Adobe AIR interface to pull together historical market conditions in the ten-minute period surrounding a trade’s execution. This allows NASDAQ to produce a snapshot of information for regulators or customers who question a trade. Says the exchange’s VP of Product Development, “The fact that we’re able to keep so much data online indefinitely means the brokers can quickly answer a question without having to pull data out of old tapes and CD backups.” P. Grossman, “Cloud Computing Begins to Gain Traction on Wall Street,”  Wall Street and Technology, January 6, 2009. NASDAQ isn’t the only major financial organization leveraging someone else’s cloud. Others include Merrill Lynch, which uses IBM’s Blue Cloud servers to build and evaluate risk analysis programs; and Morgan Stanley, which relies on Force.com for recruiting applications.

IBM’s cloud efforts, which count Elizabeth Arden and the U.S. Golf Association among their customers, offer several services, including so-called cloudbursting. In a cloudbursting scenario a firm’s data center running at maximum capacity can seamlessly shift part of the workload to IBM’s cloud, with any spikes in system use metered, utility style. Cloudbursting is appealing because forecasting demand is difficult and can’t account for the ultrarare, high-impact events, sometimes called black swans. Planning to account for usage spikes explains why the servers at many conventional corporate IS shops run at only 10 to 20 percent capacity. J. Parkinson, “Green Data Centers Tackle LEED Certification,”  SearchDataCenter.com, January 18, 2007. While Cloud Labs cloudbursting service is particularly appealing for firms that already have a heavy reliance on IBM hardware in-house, it is possible to build these systems using the hardware clouds of other vendors, too.

Salesforce.com’s Force.com cloud is especially tuned to help firms create and deploy custom Web applications. The firm makes it possible to piece together projects using premade Web services that provide software building blocks for features like calendaring and scheduling. The integration with the firm’s SaaS CRM effort, and with third-party products like Google Maps allows enterprise mash-ups that can combine services from different vendors into a single application that’s run on Force.com hardware. The platform even includes tools to help deploy Facebook applications. Intuitive Surgical used Force.com to create and host a custom application to gather clinical trial data for the firm’s surgical robots. An IS manager at Intuitive noted, “We could build it using just their tools, so in essence, there was no programming.” G. Gruman, “Early Experiments in Cloud Computing,”  InfoWorld, April 7, 2008. Other users include Jobscience, which used Force.com to launch its online recruiting site; and Harrah’s Entertainment, which uses Force.com applications to manage room reservations, air travel programs, and player relations.

Challenges Remain

Hardware clouds and SaaS share similar benefits and risk, and as our discussion of SaaS showed, cloud efforts aren’t for everyone. Some additional examples illustrate the challenges in shifting computing hardware to the cloud.

For all the hype about cloud computing, it doesn’t work in all situations. From an architectural standpoint, most large organizations run a hodgepodge of systems that include both package applications and custom code written in-house. Installing a complex set of systems on someone else’s hardware can be a brutal challenge and in many cases is just about impossible. For that reason we can expect most cloud computing efforts to focus on new software development projects rather than options for old software. Even for efforts that can be custom-built and cloud-deployed, other roadblocks remain. For example, some firms face stringent regulatory compliance issues. To quote one tech industry executive, “How do you demonstrate what you are doing is in compliance when it is done outside?” G. Gruman, “Early Experiments in Cloud Computing,”  InfoWorld, April 7, 2008.

Firms considering cloud computing need to do a thorough financial analysis, comparing the capital and other costs of owning and operating their own systems over time against the variable costs over the same period for moving portions to the cloud. For high-volume, low-maintenance systems, the numbers may show that it makes sense to buy rather than rent. Cloud costs can seem super cheap at first. Sun’s early cloud effort offered a flat fee of one dollar per CPU per hour. Amazon’s cloud storage rates were twenty-five cents per gigabyte per month. But users often also pay for the number of accesses and the number of data transfers. C. Preimesberger, “Sun’s ‘Open’-Door Policy,”  eWeek, April 21, 2008. A quarter a gigabyte a month may seem like a small amount, but system maintenance costs often include the need to clean up old files or put them on tape. If unlimited data is stored in the cloud, these costs can add up.

Firms should enter the cloud cautiously, particularly where mission-critical systems are concerned. Amazon’s spring 2011 cloud collapse impacted a number of firms, especially start-ups looking to leanly ramp up by avoiding buying and hosting their own hardware. HootSuite and Quora were down completely, Reddit was in “emergency read-only mode,” and Foursquare, GroupMe, and SCVNGR experienced glitches. Along with downtime, a small percentage (roughly 0.07 percent) of data involved in the crash was lost. A. Hesseldahl, “Amazon Details Last Week’s Cloud Failure, and Apologizes,”  AllThingsD, April 29, 2011. If a cloud vendor fails you and all your eggs are in one basket, then you’re down, too. Vendors with multiple data centers that are able to operate with fault-tolerant provisioning, keeping a firm’s efforts at more than one location to account for any operating interruptions, will appeal to firms with stricter uptime requirements, but even this isn’t a guarantee. A human configuration error hosed Amazon’s clients, despite the fact that the firm had confirmed redundant facilities in multiple locations. M. Rosoff, “Inside Amazon’s Cloud Disaster,”  BusinessInsider, April 22, 2011. Cloud firms often argue that their expertise translates into less downtime and failure than conventional corporate data centers, but no method is without risks.

Distributed Computing: A Definition

A distributed system is one in which the processors are less strongly connected. A typical distributed system consists of many independent computers in the same room, attached via network connections. Such an arrangement is often called a cluster.

In a distributed system, each processor has its own independent memory. This precludes using shared memory for communicating. Processors instead communicate by sending messages. In a cluster, these messages are sent via the network. Though message passing is much slower than shared memory, it scales better for many processors, and it is cheaper. Plus programming such a system is arguably easier than programming for a shared-memory system, since the synchronization involved in waiting to receive a message is more intuitive. Thus, most large systems today use message passing for interprocessor communication.

Computing Platforms

Today, smartphones and tablets can all run sophisticated software applications. Each have their own operating system that determines what applications can be run on each of them. Now, this tutorial looks at common hardware platforms that exist for desktop, PCs, laptops, and smaller mobile devices, such as phones and tablets.

So, we're going to start our discussion by looking at components of the typical computing device.

At the very lower level here, we have the hardware. And one of the most important things is what central processing unit or CPU the hardware is going to use. So, we'll look at different types of CPUs that support different platforms, whether it'd be a desktop or a phone.

After this, we have the operating system, the OS. Now, sometimes the OS, you can think of as having a couple layers. And the bottom layer is sort of the core OS service, sometimes called the kernel. Sometimes, it's also called the Hardware Abstraction Layer or HAL. It's that part of the operating system that communicates directly with the hardware, whether it'd be the CPU or the video card and so on. And the remaining part of the operating system services sit on top of this.

At the very top is the application, and the application has to be written for a particular operating system. So you can't run an application designed for a Macintosh operating system if you have a Windows operating system here.

Finally, the user is going to interact with the app through the graphical interface or graphical user interface. So, using keyboard, mouse could be touched, they interact with the app. So those are the three basic components of any computing platform.

Now, we're going to look at the typical desktop platforms that have existed for a while and we're going to look at a few different CPUs that are on the market that form the basis of the hardware platform. So, Intel make probably the most popular CPU. And today, it's called the Intel Core Series. A few years ago, Motorola had a few CPUs that it used and they were given the name G3 and G4. And these were called power PCs. Higher end for work stations, people that did 3D CAD and animation were using– trying to use more, even more powerful CPUs and they were based on technology called RISC and such as CPU and there were others just called a SPARC CPU or SPARC processor.

Now, on each of these CPUs, various operating systems existed. So in the Intel Core family, we typically have Windows. And we have a few different– obviously, different versions, but you can have two main types of Windows, what's called 32-bit Windows which is designated by x86 or the 64-bit version of Windows, we won't go into that now which is called, x64. But there are many other operating systems that run on the Intel Core which we'll look at a bit later.

In the work station or sort of powerful desktop PCs, typically, some version of Unix run on here. And in this case, in the SPARC case, it was a company called Sun that created an operating system called, Solaris. They have since been bought up by Oracle. And we would have, on top of here, are apps designed for Unix.

For the power PC, G3, G4 from Motorola, this is what OS X started to be based on. And OS X at its core has Unix as well, so we can think of this as OS X residing on top of the Unix core. Now, as things evolved, companies wanted faster and faster processors. So, this gave way to an even faster processor created by IBM called the G5. And so, OS X was designed to run on the IBM G5 processor. And again, we have apps here designed to run on this version of OS X. At this time as well, laptops are becoming more and more important. So, mobility was important. And with mobility, batteries were important. So, we wanted a bit of a shift from performance to something that had performance and battery life. Apple found out that the G5 from IBM had good performance but consumed a lot of power, it couldn't work very well in battery application, so they eventually dropped the G5 and they ported their entire operating system to the Intel Core family of CPUs. And what this meant was that they had a– to modify their operating system and redesign their apps. A little stir. So there's still OS X apps but now they're designed to run in an operating system that's designed to run on the Intel Core CPU. So this was the desktop landscape. Into this day, still is the landscape for Windows desktop computers and OS X.

We're now going to look at phones and tablets. And really the– I guess you can think of the developer of the smartphone or the company that really needs the smartphone take off was Apple. Apple looked around and found that the Intel Core CPU simply burn too much power for something that was going to be used in a small mobile device like a phone with a small battery. So they looked at a different company called ARM Holdings, it's a British company that produced CPU that anyone could license. And this CPU had the best performance and battery life or efficiency that happened to be on the market. Since they licensed their designs, other companies could buy or pay a fee and modify that design and then manufacture their own CPUs. So this is what Apple did. So, Apple produced an ARM-based CPU and they just denoted as A as in, I assume A for Apple. So they have the A5 and the A6 currently out. And they used this CPU as the foundation for a new operating system. But they did base this operating system on OS X, but it was significantly different. Significantly different because it was designed for touch as opposed to a mouse. And they called this, operating system iOS. And now, to run applications on it, you need to have iOS apps. And they created an App Store where you could purchase iOS apps, but these iOS apps do not run on OS X. They only run on iOS mobile devices, and the devices typically are the iPhone, the iPod touch and the iPad.

Now, there are other companies who were looking at doing the same thing and a company called Qualcomm– — also licensed ARM technology to produce the CPU based on it, they called it Snapdragon. These are the CPUs that Android from Google used as the basis for their operating system. And Android are on such smartphones from Samsung, LG and from tablets. So here, we need Android apps which can run on these devices. Microsoft has come out with its own phone system, and they've called it Windows Phone 8. And it's also based on the Snapdragon CPU which again is the derivative of ARM. So you need a Windows Phone 8 App in order to run on the Windows Phone. Now another company has gotten into the market and also licensed ARM's technology.

And this is NVIDIA. And this produced the CPU called the Tegra. And this CPU is the one that is in Microsoft tablet or one of Microsoft tablet because they have two tablets. It is used in the Microsoft Surface but the surface which uses what is called Windows RT is the operating system. And we're going to talk a bit about Windows RT. And we're going to talk a bit about the apps that have to run here. So as you can see most, companies who are developing in smaller user devices like phones and tablets have not used an Intel processor because it simply consumes too much power. They have gone to an ARM-based technology. They've licensed that technology. They've modified it, added cores, made other modifications, added graphics processors and then use that as a basis on which to build a phone or a tablet or some mobile device. And Microsoft has not quite followed that type of model. So you see that Apple has made quite a distinction between its mobile device OS and its desktop.

What Microsoft has done has been to come out with a new operating system which they called Windows RT. And Windows RT has a new type of desktop and if you've seen Windows 8 and seeing the new desktop, that is the RT part Windows. So you can almost think of Windows 8 now is having a dual identify. So if we look at this, this is part– Windows RT is part of a new tablet system called a Window– a Microsoft Surface. So if you had a Window Surface tablet and they cost about $500 for this type of surface based on Windows RT, it would have an NVIDIA Tegra or an ARM-based processor. The operating system is no longer exactly Windows 8. It's a form of Windows 8, but it's modified called Windows RT. And you'll notice that it has a little different user interface. These are called Live Tiles.

Now, Microsoft shows not to use the Windows Phone 8 operating system all though that operating system, if you have a Windows Phone 8, you will notice the interface looks the same but underneath is a different operating system. And so, we have apps that will run on this but they need to be designed for Windows RT.

Now, Microsoft also has Windows 8 for instance, windows– and different versions, for instance Windows 8 Pro Home or whatever. And part of Windows 8 is the typical desktop metaphor that you're used to. So, if we look at how Windows 8 is now constructed, it has the normal windows core services or kernel but it's now in Windows 8 been broken up into two more modules here. And on this part, it's WinRT, don't confuse that Windows RT, this is a WinRT component which is part of the Windows 8 operating system. And then we have the traditional Windows which is called the traditional Windows OS component here. Now Windows 8 can then run two different types of apps. It can run the– a WinRT type of app or a– what we'll call a normal desktop app.

So in Windows 8, you might have an application like Adobe Photoshop that would be a typical Windows 8 app and so that would be app here, would run on the Windows OS in the core and will run on a Win– an Intel Core processor. The WinRT apps run on this type of interface. So what– you'll notice that in Windows 8 now, we have this desktop, and we have this desktop we can get to. So we now have two types of applications. Microsoft is– has come out with a version of its tablet called Surface. So the tablet is called Surface but you can but the Surface with Windows RT or you can buy a surface with Windows 8 Pro. Now, Windows Surface with Windows RT can only use the RT style of apps.

Now this desktop here, you may have heard the term MetroWEB. First, Windows was calling this the Metro designed– the Metro desktop. They got into some copyright issues and it can't use the term Metro but many people know it by the Metro name. So some people call these Metro apps. A Metro app or an app designed for this new interface will work on Windows 8 and it will run on Windows RT. So if you have a Windows RT surface. The big point here is that, if you have a normal Windows app like Photoshop or something that was designed for Windows, it will run on Windows 8 Pro but it will not, will not run on Windows RT. So if someone buys a su

Collepals.com Plagiarism Free Papers

Are you looking for custom essay writing service or even dissertation writing services? Just request for our write my paper service, and we'll match you with the best essay writer in your subject! With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.

Get ZERO PLAGIARISM, HUMAN WRITTEN ESSAYS

Why Hire Collepals.com writers to do your paper?

Quality- We are experienced and have access to ample research materials.

We write plagiarism Free Content

Confidential- We never share or sell your personal information to third parties.

Support-Chat with us today! We are always waiting to answer all your questions.