Final Project
.docx
keyboard_arrow_up
School
Southern New Hampshire University *
*We aren’t endorsed by this school
Course
549
Subject
Information Systems
Date
Feb 20, 2024
Type
docx
Pages
45
Uploaded by CountWildcatMaster7
HANAH DEERING
IT 549
Foundation in Information Assurance
9-2 FINAL PROJECT SUBMISSION
I
NFORMATION
A
SSURANCE
P
LAN
Introduction
The Target data breach has gone down in history as one of the largest, most impacting security breaches. During the holiday season of 2013, cybercriminals were able to steal 40 million credit/debit card records along with 70 million customer records that included Personal Identifying Information (PII) by accessing Targets point of sale (POS) systems. This resulted in a $18 million dollar settlement for Target. “The ordeal cost credit card unions over two hundred million dollars just for reissuing cards.” (Shu, 2017) Access was first gained to Fazio Mechanical
Services, a small HVAC company in Pennsylvania that Target had hired as a refrigeration contractor, through a phishing attack that a Fazio Mechanical Services employee fell victim to. Fazio Mechanical Services was given remote access to Target’s network for business purposes. Once hackers were able to gain access to the third-party vendors network, they were able to access Target’s network with stolen Fazio Mechanical credentials. “
After getting access, the attackers used an administrative application BMC account with its default username and password
to move within the network. It is believed that NetCat.exe raw commands were used to load hacking-related commands to compromised systems. Target’s network was accessed by the attackers for the first time, on Nov 12th, 2013. It is believed by security researchers that a vulnerability in a Windows Domain Controller was found by the attackers, that was used to gain access to the POS systems.” (Gopal, 2022)
Overview of the Goals and Objectives
Information assurance plans are
“measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-
repudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities.” (Baker, 2003) Organizations have data flow throughout their network on a continuous basis, every single day. And with undetected loopholes, this valuable data can fall into the wrong hands. When an unauthorized entity gains access to confidential data, the ability to alter, steal, transmit, and view the data poses a huge threat to not only organizations but also individuals. Information assurance plans provide guidelines and frameworks to ensure data is secure, regardless if the data is on a physical device, or digitally in the cloud. The goals and objectives of an information assurance plan can be explained through the three pillars of information assurance (Confidentiality, Integrity, and Availability) that represent the fundamentals of data security.
Ensuring the confidentiality of data ensures that confidential data is not disclosed to the people who are not authorized to access or view the data. Safeguarding data confidentiality can be accomplished in many ways, using administrative, physical, and technical controls. Having the proper access controls in place plays a large part in assuring the confidentiality of data. This means controlling who has access to the data, and access is granted on a need to know or least privilege basis. This limits any unnecessary exposure. Implementing multifactor authentication with strong passwords also helps to limit the unauthorized exposure of data. “Encryption
is a process that renders data unreadable to anyone except those who have the appropriate password or key. By encrypting sensitive files (by using file passwords, for example), you can protect them
from being read or used by those who are not entitled to do either.” (UDel, 2020) Ensuring the confidentiality of data is not limited to digital controls (as mentioned above) that should be put into place, but also extends to the physical safeguards that an organization should have in place to accomplish the privacy of data. Locations that store sensitive data should be protected with
physical controls such as badge readers, turnstiles, and/or fences to ensure that unauthorized personal do not encounter the data to potentially exploit it. Ensuring the integrity involves ensuring that data goes unchanged
and unaltered
both at rest and in transit. This maintains the consistency and accuracy of the data, ensuring the data is trustworthy. To accomplish this, an organization must take the proper steps to ensure that data cannot be altered in any kind of way by an unauthorized entity. Version control helps to ensure the integrity of data by providing a sort of change log to prevent against any erroneous changes or accidental deletions of data. Version control also keeps an audit trail. Consistently creating data backups helps to maintain data integrity by allowing for recovery of the data in the event of loss or corruption. “
Some data might include checksums, even cryptographic checksums, for verification of integrity.” (Kehal, 2023) The wholeness and accuracy of the data can be protected by data encryption, which protects against unauthorized modification and data quality. Ensuring the integrity of data is essential for any organization, as it ensures the accuracy and completeness
of the data. Ensuring the availability of information is critical component of an information assurance plan. This ensures that the services and data remain accessible to end users whenever it is required, preferably always to perform business functions. Organizations must rigorously maintain their network infrastructure to ensure the correct functioning of all hardware and operating system environment to prevent any conflicts that would prevent the availability of information. Performing regular system/software upgrades (patches) keep systems working seamlessly together without errors. To mitigate serious consequences when any issues within the network do
occur, it is important to include redundancy and failover to ensure the availability of data.
Disaster Recovery Plans (DRP) must be designed for worst case scenarios so that business can still operate in the event of a disaster striking an organization. Data loss and downtime that can hinder that availability to organizations and customers can be mitigated through regular backups.
The benefits of creating and maintaining an information assurance plan around these key concepts creates a framework for organizations to ensure the protection of information and systems against any security threats. The confidentiality, integrity, and availability of information (data) is protected by information assurance. An information assurance plan is an essential part of information security. Planning an organizations assurance plan around these key concepts assures that information is protected, and risks are managed when using, storing, and transmitting information. The main goal of an information assurance plan is to establish a framework to protect against the confidentiality, integrity, and availability of information. Confidentiality, Integrity, and Availability of Information
The initial breach of Target did not occur internally to Target, but rather using compromised credentials from Fazio Mechanical which in turn allowed the attackers to move to Targets network. The confidentiality, integrity, and availability of information within Target was challenged due to the lack of maintaining an information assurance plan built on the mentioned three key concepts. Should Target have been patching sensitive vulnerabilities within their system and mitigated weak segmentation between internal networks that contain non-sensitive and sensitive information, the attackers would not have been able to access Target’s point of sale
networks. The benefits of creating and maintaining an information assurance plan around the key
concepts mentioned above ensures the confidentiality, integrity, and availability of information within the organization. Target is one of the largest retailers in North America and encounters a
great deal of sensitive data every single day. The Point-of-Sale (POS) systems run all the transactions between Target and paying customers. After the attackers were able to successfully a third-party vendor (Fazio Mechanical) that Target used, then the attack would have never happened. For both impacted parties, a successful information assurance plan would have mitigated the risk of a breach like this happening, ensuring that the proper frameworks were being followed. Through implementing an information assurance plan, data confidentiality, integrity, and availability is enhanced, responsiveness to any future breaches is improved, cybersecurity posture is increased, and the systems, processed and procedures within the organization are enhanced. Current Protocols and Policies
Target did have protocols and policies in place at the time of the breach, however deficiencies did exist within the organization’s current information assurance policies. With a dedicated security staff implementing safeguards through Targets network to protect the sensitive data, running teams of security personal out of Minneapolis (MN) and Bangalore (India). There were two alerts that failed to be acknowledged by the security team. The first alert was sent by the security system (Fire Eye) that caught the hack itself, however given that the security team was still trying to set up baselines to reduce the likeliness of false positives, the alert feature was turned off. Next, the Symantec Endpoint Protection program that was in use by Target threw another alert for detecting malware around Thanksgiving, however the alert went ignored. At the time of the breach, the current protocols, and policies that Target had in place were far less secure than what they have in place now, after taking many lessons learned away from the breach. Prior to, there many deficiencies within the information assurance plan such as:
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help