Task
The ACME CISO was impressed with your work so far, and she has asked that you join her team as a consulting enterprise security architect.
Now that ACME has a clear set of security control configuration and behavioural requirements (the ACSS), you must assess the ACME information processing environment more broadly to identify any weaknesses or opportunities for improvement.
(ACME system architecture diagram to be supplied on the Interact2 subject site)
Your first task in the new role was to commission an external Red Team exercise – a controlled offensive security test designed to explore the weaknesses in the ACME environment. A summary of the Red Team findings is as follows:
ACME users only ever authenticate with a username and password, regardless of how they access the information systems and whether the systems are on-premises or in the cloud.
Unprotected documents were located on the ACME network that contained sensitive customer information including credit card numbers and CVV codes.
Critical servers in the ACME data centre are accessible from every workstation, including those in the offices and warehouses.
The ACME customer portal software was vulnerable to cross-site scripting (XSS) and session fixation attacks.
A dummy file of ‘stolen’ sensitive corporate and customer information was successfully sent externally from an ACME workstation.
YOUR TASK
Using the information provided above you must create a report for the ACME board which describes how ACME is exposed to cyberattacks and how the security division proposes to address this. Specifically, your report should contain:
An executive summary describing the intent of the report and a digest of the findings and any recommendations.
A brief risk assessment, describing 3-5 credible risks faced by ACME information assets. This assessment must include the applicable threat, including vector and actor(s), and propose an inherent risk rating using a sensible and appropriate risk assessment approach.
A selection (2-3) security controls or changes that address each of the risks you have identified.
Demonstrated alignment between your recommendations and the ACSS requirements from the previous assignment.