ICT380 Information Security Policy and Governance

Verified

Added on 2021/08/16

AI Summary

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

WA OIL AND GAS INC.
ICT380 Information Security Policy and Governance
CONTENTS
1. INTRODUCTION...................................................................................................................................4
1.1 OVERVIEW...................................................................................................................................4
1.2 OBJECTIVE....................................................................................................................................4
1.3 VISION..........................................................................................................................................4
1.4 MISSION STATEMENT..................................................................................................................4
2. TEAM INTRODUCTION........................................................................................................................5
2.1 AREAS OF INTEREST AND SKILLS..............................................................................................5
2.2 ROLES AND RESPONSIBILITIES.................................................................................................5
3. RISK MANAGEMENT...........................................................................................................................6
3.1 RISK ANALYSIS.............................................................................................................................6
3.2 RISK ANALYSIS SUMMARY........................................................................................................10
3.3 RISK ASSESSMENT.....................................................................................................................11
3.3.1 INFORMATION ASSETS...........................................................................................................11
3.3.2 INFORMATION ASSETS RANKING...........................................................................................11
3.4 RISK ASSESSMENT SUMMARY..................................................................................................12
3.5 COST BENEFIT ANALYSIS...........................................................................................................13
3.6 CONTROL STRATEGY.................................................................................................................14
3.7 ALIGNMENT WITH STANDARDS................................................................................................15
4. TOOLKIT.............................................................................................................................................16
4.1 INTRODUCTION.........................................................................................................................16
4.2 SCOPE........................................................................................................................................16
4.3 SECURITY CONTROLS IMPLEMENTATION PLAN.......................................................................16
4.3.1 CREATING AN INCIDENT RESPONSE CAPABILITY................................................................17
4.4 INCIDENT RESPONSE WEEKEND PLAN......................................................................................19
4.4.1 PREPARATION....................................................................................................................19
4.4.2 IDENTIFICATION.................................................................................................................20
4.4.3 CONTAINMENT..................................................................................................................21

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

4.4.4 ERADICATION.....................................................................................................................22
4.4.5 RECOVERY..........................................................................................................................23
4.4.6 LESSONS LEARNED.............................................................................................................23
4.5 INFOGRAPHICS..........................................................................................................................24
4.6 REFERENCES..............................................................................................................................26

HISTORY
DATE CREATED CREATED BY REVIEWED REMARKS
07/12/2021 Mahlaqa Iqbal Introduction
07/13/2021 Mahlaqa Iqbal Team Introduction
07/16/2021 Mahlaqa Iqbal Risk Analysis and
assessment
07/18/2021 Mahlaqa Iqbal Toolkit

1.INTRODUCTION
1.1 OVERVIEW
WA Oil and Gas Inc. is a full spectrum analytical, software and hardware solution
company specializing in analysis, simulation, monitoring, control, optimization, and
automation for Oil and Gas Sector. Their services offer the most comprehensive
suite of integrated system enterprise solutions. WA Oil and Gas Inc. not only hold a
40% market share for providing tailored services in oil and gas monitoring systems
but their market base makes them recommendable for a consistent upgradation
makes them different for a long term relationship with their clients.
1.2 OBJECTIVE
The main objective of this report is to provide recommendations of security
measures with respect to the current security posture of WA Oil and Gas Inc. It will
also provide a detailed risk assessment to improve security structure thereafter.
1.3 VISION
WA Oil and Gas Inc.'s vision is to provide unmatched services of monitored and
automated seismic data in oil and gas industry with the latest technology in the
market.
1.4 MISSION STATEMENT
The aim of this risk assessment is to improve the overall Information Security
Structure of the company.

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

2.TEAM INTRODUCTION
List of members participating in this activity are as below;
2.1 AREAS OF INTEREST AND SKILLS
In this section, the roles and responsibilities of Team members are defined;
Team Member Area Of Interest Skills
QIN JIANRONG Supervising people,
counseling and
providing advice,
Solving computer
security problems,
Solving computer
programming
Problems, organization
and planning
Computer Literate
Supervising
Organization and planning
Management of peoples
Chung Chow
Shiung
Leadership,
Researching, Solving
computer, gather
information
Scientific curiosity, Imaginative with
ideas, Troubleshooting, Computer
Literacy, Making Decisions
Zhu Yuanyuan Helping, Graphic Design,
analyzing, behavioral
management, time
management
Supervising, counselling, analytical
data, research, time management
Table 2.1- Member’s area of interest and skills Table
2.2 ROLES AND RESPONSIBILITIES
In this section, the roles and responsibilities of Team members are defined;
Team Member Roles Responsibilities
QIN JIANRONG Leader Clarifies the aim of the group and
helps the group to set goals during
each meeting.
Make sure everyone understands
the concept.
Chung Chow
Shiung
Researcher Gathers all requested information
and pattern via research
Zhu Yuanyuan Documentation Align, Report and Documentation of
available information in requested
flow and format
Table 2.2- Roles and Responsibilities Table

3.RISK MANAGEMENT
3.1 RISK ANALYSIS
Based on IT infrastructure of WA Oil and Gas Inc., a brief analysis is conducted for
an overview to investigate threat-areas. Further undertakings will be suggested
thereafter, for all the risks identified in this organization. Standards like CIS
controls, ISO27001 are kept as benchmark for protecting assets of WA Oil and Gas
Inc.
The risk analysis table will focus on 4 main areas which are; technical security,
human security, physical security, physical security and issues with policies and
procedures. Please find the risk analysis table as below;
Categories Risk Identified Remediation
Technical
Risk
1. Data leakage issue via insecure
protocols and channels are used
to send sensitive data.
It is to ensure that secure protocols
such as HTTPS and SFTP are used
across the organization, so that
attackers are unable to sniff the
contents as they are protected by
various encryption algorithms.
2. WA Oil and Gas Inc. is vulnerable
to service outages due to the
lack of redundant ISP.
Organization must have more than
one reliable ISP to avoid disruption
in business operations.
3. As WA Oil and Gas Inc. need to
process, store or transmit credit
card information of customers for
paid services such as processed
reports and formatted seismic
data, PCI DSS should be
complied with. The company
may be at risk of technical
noncompliance due to things like
weak access controls and
vulnerable systems within the
infrastructure, which are part of
the requirements of the
standard.
Audits should be conducted at
regular intervals to ensure that all
mandatory compliance standards,
laws and regulations are abided to.
WA Oil and Gas Inc. is to ensure
that the required technological
upgrades and settings are done in
such a way that it complies with the
required agenda.
4. CRM, HR and accounting systems
are installed locally on desktop
and laptop machines as required,
it can cause a lack of visibility in
the flow of information. Also,
anyone in the organization can
easily get a hold of personal as
well as financial information of
the customers.
Applications or software that are
used to access or store customer,
employees and organization’s
financial information should be
centrally managed. This can help
the administrator or the
organization to gain visibility on
who, when and where information is
being accessed, extracted or
copied. Data loss prevention can
also be used to prevent the chances
of these sensitive information
getting extracted and leaked out of
organization premises. Also, it can

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

save organization from huge
penalties.
5. Databases are connected to the
internet which can be accessed
remotely. Having a connection
from database to the internet
can greatly increase the chances
of database becoming a target
for cyber-attack and this can
lead to information theft or
impacting the availability of the
databases and may affect the
innovation goals of the company.
As per CIS Control 14.4, sensitive
information in transit should be
protected by encryption. This can
be achieved by using VPN to
protect threat actors from gathering
any information of the databases.
6. Universal Plug and Play (UPnP)
protocol is turned on for all Wi-Fi
access points. Attacker can make
use of this protocol to discover
the presence of all the endpoints
and peripheral devices within the
organization which a DDoS
attack can be launched after that
rendering the organization’s
infrastructure crippled and since
the logging feature is turned off,
there is no way for
administrators to view any
critical logs with regards to the
attack.
According to CIS Control 15.9,
unneeded peripheral access of
devices such as UPnP should be
disabled. Also, in CIS Control 6.2
and 6.3, it is recommended that
loggings are enabled on networking
devices.
7. Routers and switches are
enabled for remote access using
telnet. Connection and
information exchange are in
clear text when telnet is used
and this can render the routers
and switches susceptible to
eavesdropping or man-in-the-
middle attack which can lead to
a high chance of these devices
getting compromised.
Use the SSH protocol is an effective
practice instead of telnet to access
the network equipment.
8. No secondary or redundant link
from client endpoints to server
room. This can be a potential
problem for traffic bottleneck
and availability issues when the
link on the Multilayer Switch
(MLS) at the server room is
down. This can render all the
resources that are housed in the
server room to be unavailable.
Setup a secondary MLS or link
aggregations to provide a
redundant path in case the link is
down, accessing to the resources
and server will still be available
9. No firewall or security appliances
to restrict access from internet to
the organization network. This
can allow malicious threat actors
to conduct various forms of
cyber-attacks to the
organization.
Perimeter firewalls should be
deployed to provide segregation
between segments and additional
layers of security between the
traffic from the internet to the
organizations, and only allow
approved ports, protocol and
services as per CIS Control 14.1.
10. Operating Systems are not
updated. This can cause
unpatched vulnerabilities to be
exploited by malicious attackers
Ensure that EOL products are
upgraded as vendors no longer
provide patches for such systems to
remediate any vulnerabilities. For

and cause a variety of
confidentiality, integrity and
availability issues. Such OS
includes Windows 2008 R2 OS
and IBM blade Linux OS.
the Linux OS, it should still be
updated regularly to address
possible vulnerabilities. To prevent
stability issues, it should be full
tested in a staging environment or
VM before being updated.
Human Risk 1. Allowing temporary staff to have
the same access as permanent
staff is a weak security culture.
These human risks can allow the
company to be susceptible to
multiple malicious attack
vectors.
Regular mandatory security
awareness training or related talks,
instill leadership-driven
governance, motivating through
rewards, and improving existing
security policies and making sure
employees are aware and
acknowledge such policies. This
recommendation is in accordance
with CIS Control 17.
2. Hiring temporary staff from a
recruitment firm may become
dangerous. It is not known
whether a recruiting firm is
conducting a background check
or not.
Organizations should do a
background check on the
employment agency with regards to
the reputation, reliability and
credibility. Organization should also
conduct Background checks on the
candidate provided by the
employment agency and conduct
individual interviews to ensure that
temporary or contracted staff met
the requirement of the
organization.
3. Allowing sales staff to work at
any location and have immediate
access to client’s data or
resources can be a potential risk
as sales staff can connect to any
Wi-Fi without knowing if the SSID
that they are connected to is a
legitimate one. This can cause
them to be susceptible to Man-
in-the-Middle attacks and
increase the chances of
information theft.
According to CIS Control 14.4, all
sensitive information in transit
should be protected by encryption.
This can be achieved by deploying
VPN clients to client PCs to allow a
private connection to a VPN
controller in the organization’s
network.
4. Issuing an additional computer to
certain group of staff can have
the following risks increased:
 Staff might misplace it, store it in
an improper way or place if they
deem that they do not need the
additional computer.
 Additional computers might be
misused by the staff for non-
work related purposes.
Organization should not issue a
second or additional computer to
these groups of staff. Instead if the
staff have the needs for an
additional computer due to work
requirements, they should file a
request to the Desktop support
team or raise a request up to their
direct superior. All terminals should
also have disk-level encryption so
that when terminals are misplaced,
information at rest is still protected.
5. Contracted and temporary staff
have the same access rights as
permanent staff. There are
higher chance where anyone
from the staff, intentionally or
unintentionally modified the
information and company
records may be manipulated.
Access to information within
organizations should be restricted
for this group of staff since they will
be either with the company for a
short period of time or they are only
providing ad-hoc services. Access
given should only be restricted to
what is needed to perform the
duties. Other than that, encryption

or Privileged Access Management
(PAM) can be used as an additional
layer of security to protect these
data or documents.
6. Higher management has their
own office and are not allowed to
bring their laptop home. Since
it's an open-plan layout, their
offices can be breached via
cleaners after working hours if
they do not lock their office.
Enforce a policy to ensure all
employees lock their offices before
leaving work. Employ security
officers to go for hourly rounds and
make sure places that should be
locked, are locked.
Physical Risk 1. Access controls within the
company are weak, such as
unlock doors and unescorted
personnel. This may allow
potential threat actors to have
physical access to places where
they should not be allowed to.
Confidentiality, integrity and
availability of systems can be
compromised by such threat
vectors and can cripple the
company’s day-to-day
operations.
Ensure warning signboards and
adequate monitoring devices such
as CCTVs are placed in strategic
locations to act as a deterrence for
threat actors. Additionally, locations
in the office can be classified to
indicate which areas are restricted
areas. Access controls of sensitive
areas shall be improved with
technological enhancement like
automatic door locks and MFA. A
“clean desk” policy should also be
enforced so that all information is
kept out of sight.
2. The door access to the IT office
area is not locked during office
hours and during weekly
scheduled maintenance, the
office area is vacant at the
period from 4am to 6am. This
can be a risk due to the following
factor:
 During office hours, anyone can
enter the IT office area and since
the server room is not locked.
Information assets stored in
these unprotected areas are
susceptible to problems such as
theft.
 During the weekly schedule
maintenance period, there will
be no one in the office and any
other person with ill intention
can access the office area to
perform malicious acts.
The door access to the IT office
area should be locked at all times.
Staff working in this area must be
made known on the importance of
locking up these doors to prevent
unauthorized access when no one is
around during the scheduled
maintenance period. Digital access
locks can also be implemented on
the door access to the office area
which serve as an additional
security to prevent unauthorized
access and also this can mitigate
the issue of staff forgetting to lock
up the door when no one is around.
3. Server room not locked and
depends on IT staff to lock. This
may lead to give access to
unauthorized people at any point
during the office hours.
All doors to locations where critical
information assets are housed
should have physical security
controls such as digital security
locks to prevent unauthorized
personnel from accessing these
areas.
4. Backup tapes which contain
client data are housed on open
racks. Although the data
processing room is locked and
only authorized personnel are
allowed into the room, the risk of
leakage of client data still exists
since the backup tape can be
According to CIS Control 10,
backups which contain client data
should be stored at a physically
protected and secure location.
Encryption can also be used to
protect these backup tapes.
Additionally, these tapes should be
kept tagged to indicate the backup

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

accessed by any person that is
allowed into the processing
room. The risk includes leakage
of existing client data.
date and what kind of data is stored
on these tapes in a secure place
and there should be a procedure or
process on who and how these
tapes can be accessed. There
should also be an asset list which
includes the number of tapes that
are stored in the secured place and
the asset list must be used to check
against these items to ensure that
there are no missing items.
Process/
Procedures
at Risk
1. Passwords and password
policy are not reviewed on
certain intervals and
updated which may cause
outdated organization
practices.
Company policies shall be reviewed
immediately and at regular
intervals which will help to improve
operational perforamce
2. Critical information like
client’s data and resources
are stored in External hard
drive. Moreover staff is
allowed to carry them out of
the premises
According to CIS Control 13.9, All
data stored in external Hard Drives
must be encrypted. Also, company
shall increase internal Hard drive
storage than using External.
3. Zoom meeting used mostly
for personal purposes which
is not documented which has
security loop holes but MS
teams meeting is
documented and managed
centrally.
Enforce policy for all staff to use MS
teams for all meetings that are
classified. Zoom meetings should
only be used for non-sensitive
meetings like technical training and
vendor related meetings.
4. Company uses separate
backup on a tape loader as
data processing units. It can
be a procedure risk as it can
cause a lack of
accountability and are
subject to theft.
Separate copy of backup shall not
be allowed as this can increase the
chances of backup data getting
leaked or stolen due to
misplacement or improper storage.
5. Linux OS are not updated
regularly for stability of
kernel and systems cause
security incidents.
Critical machines’ operating
systems can be tested in a test
environment before being deployed
to prevent stability issues.
6. Either Windows OS or MAC
OS for their laptops. Having
2 different OS in the same
environment will make the
management of the software
more complex as there will
be compatibility issues when
software patches are pushed
down from the server..
There shall be only 1 standardized
OS in the office network to make it
easier to manage software updates.
7. Passwords for SoftMicro
Defender antivirus software
and Red-Rock firewall
software are too short, and
can be easily guessed or
brute-forced by attackers to
gain access.
Using ISO/IEC 27001-2013 Annex
9.4 as a baseline, passwords shall
include numbers, special
characters, mixture of capital
characters and increase length to
10.
8. The password policies that
are enforced for new
employees are set to 6
characters long and require
Using ISO/IEC 27001-2013 Annex
9.4 as a baseline, password policy
should be set to have at least 10
characters and implement a change

to not change after 6
months. 6 character
passwords can be easily
guessed or brute-forced,
allowing attacker access to
the 2nd authentication
factor.
of password on a 3-monthly basis.
3.2 RISK ANALYSIS SUMMARY
According to the risks analysis, WA Oil and Risk Inc. found a few common patterns
to the cause of such risks. Firstly, most risks discovered in all risk tables involve
some form of bad security practices caused by employees. Secondly, there are
also weaknesses in basic security awareness, which could also be seen in all risks
tables. In this section, one risk from each of the risk tables listed in Section 3 will
be used to explain the common patterns found.
In Point 7 of Table 3.3.1, employees have a bad security practice of using
unsecure protocols like “telnet” to access networking devices. Engineers should
be technically sound to advise team leads or managers that such practice
contains the risks of allowing sensitive information to be compromised.
In Point 5 of Table 3.2, the organization allowed both contracted staff and
temporary staff to hold the same access rights as the permanent staff. This is also
considered a bad security practice as hiring managers should know that allowing
the same level of access rights as permanent staff can create security risks itself.
Table 3.3 contains the most bad security practices such as leaving places
unsecured and having inadequate security controls. It is common security
practice that sensitive locations within an organization should be secured by
locking and no unauthorized access should be allowed.
Point 5 of Table 3.4 accurately depicts the bad security practice caused by
engineers. Although it might be true that stability issues can occur during and
after any upgrade process, it should not be a reason to not update systems
altogether. System engineers should follow best practices to read the release
notes from vendors and advise on the need for the upgrade instead of avoiding
any patching.
In conclusion, a general direction for the risk flaws in WA Oil and Gas Inc. is that
they do not follow standard security policies and procedures in order to prevent
security risks. This also includes employees not being properly educated of such
risks and their consequences that follows the breach of security.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

3.3 RISK ASSESSMENT
3.3.1 INFORMATION ASSETS
SR.
No
Categories Information Assets
1. People Permanent Staff, Temporary Staff, Clients, Contractors
2. Procedure Visitor handling procedure, Temporary Staff, Contractors Handling
Procedure, Top-Secret Projects, Unclassified Projects
3. Data Clients’ data, R and D data backup, Seismic Data Analytics and
Report
4. Software SoftMicro Defender Antivirus softwares, Red-Rock Firewall
software, CRM softwares, HR softwares, Accounting softwares
5. Hardware Printers, 3d printers, HP ⅛ G2 Tape Autoloader, HP ⅛ G2 Tape
Loader, Acer Aspire TC-885 Desktops, Dell Precision 7920
Desktops, Dell Latitude 7480 Laptops, Apple Macbook Laptops,
1TB External HDDs
6. Networking HP ProLiant G5 and G6 servers, Windows 2008 R2 server, IBM
Blade center servers, VOIP Server, HP ProLiant G5/6 Domain
controller, HP ProLiant G5/6 web server, telnet, Cisco 3845 ISR,
Cisco 3750E Switches, Cisco 2960 Access Switches, Cisco 1242AG
Wireless AP, Cisco 7941G IP phone, Voice Gateway, Network
Cabling
Table 3.3.1- Information assets WA Oil and Gas Inc.
3.3.2 INFORMATION ASSETS RANKING
In this section, the information assets displayed in Table 3.3.2 are ranked
according to their level of importance, from the top being the most important,
to the bottom, signifying the least importance. The rankings of the information
assets are determined by conducting a Cost-Benefit Analysis (CBA) on all
information assets.
Note that only the top 20 are shown in this table.

Sr.
No
.
Information Assets Ranking
1. Client High
2. Employees (permanent,
temporary)
High
3. Clients’ data tapes High
4. Contractors High
5. Unclassified Projects High
6. Seismic Data analytics & reports High
7. Top Secret Projects High
8. R&D data backups High
9. Dell Latitude 7480 Laptops Medium
10. Dell Precision 7920 Desktops Medium
11. Acer Aspire TC-885 Desktops Medium
12. Seismic Data Application source
code
Medium
13. Network Cabling Medium
14. Microsoft 365 Enterprise Medium
15. Web Application source code Medium
16. Red-Rock Firewall software Low
17. Apple Macbook Laptops Medium
18. Symantec Endpoint Protection Low
19. SoftMicro Defender Antivirus
software
Low
20. Photocopier/Printers Low
21. HP ProLiant G5 and G6 servers High
22. HP 1/8 G2 Tape Loader High
23. Windows 2008 R2 server High
24. Swans ISP Low
Table 3.3.2- Asset Ranking Table
3.4 RISK ASSESSMENT SUMMARY
Based on table 3.3.1 and 3.3.2 shown above, the category of “People” has been
classified as the most important category of asset to the organization, as clients
are the main source of income for the organization. Secondly, to be able to fulfill
the client’s needs, the organization workforce contributed to most of the
deliverables and projects to the client. At the same time, the staff can also be a
contributing factor to the current risks existed in the organization as this can be
seen in the list of identified risk on section three where in each of the categories,
there are risks that involves the actions by the staff, although it is not mentioned
if it is due to the existing policies loopholes or lack of policy in the organization. It

is recommended to have strict policies and SOPs in place as this can ensure that
employees adhere to rules and regulation that has been implemented.
3.5 COST BENEFIT ANALYSIS
The table below shows Cost Benefit Analysis (CBA) of the information
assets within the organization. Please note Asset Value and the Exposure
Factor values are average and estimated values.
AV = Asset Value
EF = Exposure factor (0 - 1)
SLE= Single Loss Expectancy (AV x EF)
Pre/Post ARO= Annual Rate of Occurrence (0 - 100%)
Pre/Post ALE = Annual Loss Expectancy (SLE x ARO)
ACS = Annual Cost of Safeguard
CBA = Cost-Benefit Analysis (Pre ALE - Post ALE - ACS)
Assets AV($) E
F
SLE($) ARO ALE ($) CBA($)
Employees 2,000,000,00
0
0.5 1,000,000,00
0
Pre 50%
Post 10%
500,000,00
0
100,000,00
0
ACS
19,200,000
CBA
380,800,000
Clients 8,000,000,00
0
0.3 2,400,000,00
0
Pre 33.3%
Post 10%
799,200,00
0
240,000,00
0
ACS
5,000,000
CBA
770,200,000
Contractors 100,000,000 0.6 60,000,000 Pre 200%
Post 20%
120,000,00
0
24,000,000
ACS
500,000
CBA
95,500,000
Unclassified
Projects
430,000,000 0.4 172,000,000 Pre 50%
Post 20%
86,000,000
34,400,000
ACS
1,000,000
CBA
50,600,000
Clients’ data
tapes
800,000,000 0.3 240,000,000 Pre 50%
Post 20%
48,000,000 ACS
500,000
CBA
71,500,000
R&D data
backups
10,000,000 0.5 5,000,000 Pre 100%
Post 15%
5,000,000
750,000
ACS
500,000
CBA
3,750,000
Seismic Data 60,000,000 0.3 18,000,000 Pre 200%
Post 33.3%
36,000,000 ACS
200,000

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

analytics &
reports
5,994,000 CBA
29,806,000
Top Secret
Project
700,000,000 0.6 420,000,000 Pre 10%
Post 0%
4,200,000
0
ACS
1,000,000
CBA
3,200,000
Web App source
code
2,200,000 0.4 880,000 Pre 33.3%
Post 10%
293,040
88,000
ACS 50,000
CBA
155,040
Seismic Data
App
source code
10,000,000 0.3 3,000,000 Pre 33.3%
Post 10%
999,000
300,000
ACS
100,000
CBA
599,000
Microsoft 365
Enterprise
600,000 0.2 120,000 Pre 300%
Post 50%
360,000
60,000
ACS 50,000
CBA
250,000
Symantec
Endpoint
Protection
720,000 0.2 144,000 Pre 50%
Post 10%
72,000
14,400
ACS 0
CBA 57,600
SoftMicro
Defender
Antivirus
software
600,000 0.2 120,000 Pre 50%
Post 10%
60,000
12,000
ACS 0
CBA 48,000
Red-Rock
Firewall
software
1,200,000 0.2 240,000 Pre 50%
Post 10%
120,000
24,000
ACS 0
CBA 96,000
CRM softwares 100,000 0.3 30,000 Pre 50%
Post 20%
15,000
6,000
ACS 5,000
CBA 4,000
HR softwares 100,000 0.3 30,000 Pre 50%
Post 20%
15,000
6,000
ACS 5,000
CBA 4,000
Accounting
Softwares
100,000 0.3 40,000 Pre 50%
Post 20%
20,000
8,000
ACS 5,000
CBA 7,000
Photocopier/
Printers
300,000 0.1 30,000 Pre 100%
Post 30%
30,000
9,000
ACS 10,000
CBA 35,000
3D Printers 22,000 0.1 2,200 Pre 100%
Post 30%
2,200
660
ACS 500
CBA 1,040
IBM Blade Center
Servers
38,000 0.4 15,200 Pre 100%
Post 33.3%
15,200
5,061
ACS 5,000
CBA 5,139
3.6 CONTROL STRATEGY
Here are some key strategies how the identified risks may be mitigated
according to the security policy. Below is a tabulated form of identified
risks and its mitigations;
No
.
Risk Risk mitigation in Security Policy
1. R&D data leakage when using Section 5.5 of security policy states to use email file

unsecured protocols or remote
connections to send sensitive
information.
attachment compression and encrypted secured links
to send sensitive information to customers. This can
eliminate the risk of databases being leaked by an
employee or become a target for cyber-attacks.
2. Routers and switches are using
telnet for
remote access
Section 8.5 of security policy disallowed the use of
unsecure protocols (HTTP, Telnet, FTP) are not allowed
to be used internally or in external network
3. Servers in the network are
configured with simple passwords.
Section 10.2 of security policy ensures that all user
accounts are protected by strong password and that
the length and complexity of the password follow CIS
guidelines which will prevent any unauthorized access
to company’s critical assets.
4. Usage of operating systems (OS)
that are EOL and rarely updated.
Section 7.3 of security policy states that all Servers/
workstations/ PC/ Laptops must be hardened according
to CIS hardening guide and protected with licensed
and Anti-virus software should also be updated
regularly to keep its signature database updated.
5. Employees have weak security
culture
throughout the organization
Section 11.1 of the security plan will conduct
mandatory security awareness training every year for
all employees.
6. Contract and temporary staff have
the same
access rights as permanent staff
Section 9.1 of security plan has created 4 different
types of pass for all staff working in the company.
7. WA Oil and Gas Inc. has weak
physical access controls within the
company, such as unlock doors
and unescorted personnel.
Section 9.2 of security plan has stated all necessary
access procedures for visitors, contractors and
temporary staff to follow.
8. Door access to the IT office area is
not locked during office hour.
Section 9.4.2 of security plan has stated all door
access leading to server rooms, IT offices and areas
out of bounds to guests/visitors should be locked at all
times regardless if anyone is in or nearby the
premises.
9. External HDDs are used to store
client’s data and resources and the
staff can carry it with them
anywhere they go
Section 7.9 of security policy states that only
encrypted USB drives issued to employees can be
used on company laptops and desktops. Noncompany
issued USB devices cannot be used on company
laptops.
10. Data processing business unit is
running its own separate backup
on a tape loader
Section 9.4.3 of security policy states that “ALL”
physical back up tapes and HDDs should be stored in a
secured Location monitored by CCTVs.
11. Linux OS rarely updated for
stability of kernel and systems.
Section 7.4 of security policy implies that all software
and hardware’s updates to their firmware shall be
conducted regularly, reviewed and deployed. This
includes IT equipment as well.
3.7 ALIGNMENT WITH STANDARDS
To avoid unauthorized access from RnD database via remote access connection,
we can CIS 14.4, 14.7, 14.8 controlled access by implying encryption on all
sensitive information in transit, encrypt information at rest and enforce access
control to data through automated tools. CIS Control 14 processes and tools use
to track, control and prevent correct secure access to critical assets of an
organization.

It will also prevent any hackers from stealing any information from the database
remotely.
We have followed CIS Control 15.9 by disabling unnecessary peripheral access of
devices via UPnP protocol and also followed CIS Control 6.2 and 6.3 by enabling
logging on networking devices to patch up the security flaws in the Wi-Fi access
points.
We have also followed in accordance with CIS Control 17 by organizing security
awareness training form employees. This will provide more self-governance in
security awareness within the company to instill security awareness and culture
within the company.
We have proposed CIS control 14.4 by encrypting VPN connection to allow
employees to use a private secured connection back to VPN controller in the
company network to prevent data interception attacks when connecting to
unknown Wi-Fi access points.
We proposed implementing CIS control 10 which states that backup tapes must
be stored in a secure location in order to prevent data from leaking out to
unauthorized personnel in the open racks of the data processing room.
We have enforced ISO/IEC 27001-2013 Annex 9.4 as a baseline to address the
risk of users creating passwords which are too simple. This password policy
requires a mandatory minimum of 10 alphanumeric characters password which
is changeable on a 3-monthly basis. Passwords also cannot be reused or contain
the entire string.
4.TOOLKIT

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

4.1 INTRODUCTION
The purpose of this document is to give an overview of IT infrastructure
weakness in WA Oil and Gas Inc. It also defines the acceptable work
ethics and behavior to observe in the organization.
4.2 SCOPE
The scope of this paper extends not only to addressing our exposure, if
any, to this specific threat but presents a high-level plan for the
implementation of technical, human, physical and process/procedures
security best-practices throughout our enterprise.
4.3 SECURITY CONTROLS IMPLEMENTATION PLAN
Computer security cannot be effectively addressed in an arbitrary
manner. Rather, any effective long term defense must employ a well-
planned approach which considers the problem holistically; applying the
principles of defense in depth, leveraging automation where possible,
identifying and addressing the root causes of issues and providing
measurable metrics of the effectiveness of the risk mitigation. Clarity
comes from the careful assessment of our organization’s risk profile and
current in-place policies. We can then achieve measured, incremental
improvements step by step.
The first step is to undertake a gap assessment to determine our current
security posture and risk profile. We will identify our most critical business
information and map out where it resides, how it moves over the network,
and who should have access to it. This will provide a baseline with which
to identify the most critical security controls to implement. While the gap
assessment has not yet been completed fully, a first draft of an order of
priority is included in the Project Plan annex.
Once the critical gaps in our security posture have been identified and
priority has been assigned to the security controls we wish to implement
the implementation of Quick Win controls will provide a rapid benefit in
key area, picking the proverbial low-hanging fruit and significantly
reducing our risk profile; in many cases for very little cost. Several of the

security controls should work on concurrently; each will be assigned to a
relevant departmental lead, such that System Administrators, Security
Administrators, and management can collaborate and move ahead on a
number of initiatives concurrently.
Security awareness and training, not just of technical staff but of all users,
will pay dividends in faster identification of warning signs of possible
network, physical and procedural breaches. It will help reduce the danger
of accidental or negligent internal threats and promote responsible and
secure use of our corporate data and IT infrastructure. This training should
be espoused at the highest level of management and afforded time and
support to revisit on a regular basis. Over time, as the initial controls are
implemented, successfully automated and regularly audited, we should
move to implement lower priority but still important control over the next
12-24 months.
4.3.1 CREATING AN INCIDENT RESPONSE CAPABILITY
The capability of incident response is composed of much more than a
group of individuals, which will respond to an incident. Such an
Incident Handling (IH) team is certainly a key component of such a
capability, but needs to be supported with a robust set of policies and
processes to enable its success. A formation of Security Team will
collaborate on a deliberate audit of networks, people management and
their security, Physical Security and a set of robust Process/Procedure
to enable its success. The team will be comprised of:
 Team Lead - a member of senior management
 Technical Lead - CIO
 Senior Security Administrator
 Senior Network Administrator
This team will implement the following actions.
 Led by the Team Lead, the team will define and assign specific
roles and responsibilities to the team members. Job titles and
specific duties will be outlined, and alternative/backup members
will be identified.

 Led by the CIO, the team will develop a clear IH process that
will, in particular, define the critical points at which input and
decisions are required.
 Led by the Senior Security Admin, a concise awareness
document will be developed, targeted at the user base at large.
The ‘cheat-sheet’ will educate the reader on what types of
indicators of possible security issues to look for on the network,
and when and how to report them. This document will be
launched at an employee training session and will be revisited
periodically.
 Led by the Senior Network Administrator, incident recovery
standards will be developed and published. A thorough analysis
of the networks, data centers and hosts will be conducted and
estimates will be published indicated estimated time to repair
and priority of repair.
This document will form the basis for the response to any incident and
will allow the IH team to rapidly allocate resources to recovering the
most critical systems first.
The members of the IH Team must be carefully selected to possess the
skills required for their effective leadership in preparation for, during
and after a computer incident occurs. In particular, they must possess
superior management skills, which will permit them to rapidly assess
the situation and take sound action to minimize negative impacts.
They must also possess strong technical and communications skills
which will enable them to grasp the impact of the issue and concisely
explain it to decision makers at relevant points in the incident
response process.
The incident response capability should be exercised regularly to
ensure all concerned individuals and decision makers are aware of
their parts. The IH team an opportunity to exercise the foundations of
our IR plan, noting lessons learned and improving the process for
future iterations.

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

4.4 INCIDENT RESPONSE WEEKEND PLAN
A key assigned task of this tiger team is to develop a plan for the
deliberate assessment of any current breaches of the network and
conduct a thorough recovery over a planned weekend maintenance
period. This strategy will involve significant pre-planning and coordination
between all relevant parties and will be led by the IH Team as outlined
above. In keeping with industry best practices, the six phases of incident
response will be used as the basis for the incident response weekend plan.
These phases are:
1. Preparation
2. Identification
3. Containment
4. Eradication
5. Recovery
6. Lessons Learned
4.4.1 PREPARATION
The preparation phase for the incident response weekend plan will
consist of the following:
 Form IH team
 Create reporting structure
 Create communication plan
In close collaboration with the Detection tiger team, the IH team will
leverage several tools and techniques for identifying advanced
persistent threat (APT) behavior to seek out and any other infestations.
Creating a clear reporting structure within IH team and between
system owners and management is critical for the success of the
response plan. The IH team will need to know who to contact should
any issues arise with the plan execution. System owners and
management will need to be kept up to date with regard to systems
that have been identified as compromised to determine the impact and
risk to the organization due to the remediation process.
A communication plan will be created consisting of:

 Contact lists of key individuals from the reporting structure
 Phone bridge number(s)
 Fax numbers or other emergency methods of communication
 Email addresses and public encryption keys for encrypted
communication
This communications plan will be exercised during the incident
response weekend activities.
4.4.2 IDENTIFICATION
Identification of Shady RAT compromised systems will leverage the
existing work of the Detection tiger team’s implementation of
correlation tools and network monitoring infrastructure. Because of the
potential of the malware morphing as a result of direct attempts of
identification (scanning, local system command execution, etc.), the
identification process will be primarily passive in nature using network
monitoring as the basis for detection. The Identification process with
consist of:
 Identify/implement new traffic signatures (Emerging Threats)
 Identify infected systems based on IDS alerts, DNS queries, and
correlation using the Security Onion installation.
The following will be recorded for use during the containment and
eradication phases of the response plan:
 IP address
 MAC address
 Switch port locations (IP to MAC to CAM table associations)
 Wireless access point associations if applicable.
Systems that have been identified will be evaluated based on business
and asset criticality, and prioritized for the remaining incident response
phases. System owners and management will be contacted to
communicate the impact of containment and eradication phases on
systems and gain authorization for remediation of critical systems. In

the absence of any clear asset criticality identification, the following
ratings will be used:
 Data center servers providing business functionality - High
 High level executives/technologists/support personnel
desktops/laptops/tablets - Medium
 End user desktops/laptops – Low
Additionally, after consulting with forensics expert Rob Lee, the
following additional steps should be taken in order to root out all
malware infestations to have the best chance of eliminating the
advanced persistent threat and mitigate reinfection from occurring:
 Live-image known systems that appear to be compromised.
 Complete a thorough forensic analysis of each image
 Use the information gleaned from the forensic analysis to
develop additional detection mechanisms such as file hashes,
registry keys and other malware threat intelligence.
 Process lists that have been statistically analyzed for ‘Frequency
of Least Occurrence’.
 Use this information to actively scan the enterprise looking for
additional systems that are infected but lay dormant.
Using this approach iteratively to identify all infected systems, both
active and dormant, will substantially increase the chances of
successful elimination of the advanced persistent threat posed by
malware.
4.4.3 CONTAINMENT
Once the compromised systems have been identified using the
Detection tiger team’s network detection and correlation tools,
methodologies, and countermeasures, the containment phase of the
incident response plan will be initiated. The containment phase will
consist of the following tasks:
 Backup/forensic image of systems for post remediation analysis

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

 Shut down switch port and/or remove network cable of the
compromised hosts
 Add MAC filters to wireless access points for any identified
compromised wireless clients, disable wireless cards.
 Apply firewall rules for identified malicious ingress/egress traffic.
 Enable Intrusion Prevention System functionality.
 Force web traffic through proxies allowing only HTTP/HTTPS
traffic to/from the proxy addresses at the firewalls.
 Leverage access controls and other security functionality within
the proxy to mitigate attack vectors
 Implement file attachment scanning and/or stripping at the mail
servers where applicable to mitigate the malicious file
attachment attack vectors
Close communication with the Detection tiger team during the
containment phase will allow the IH team to determine containment
progress based on alert generation or lack thereof.
Additional anomalous behavior that is detected during this phase could
indicate morphed malware that can be further analyzed and used for
additional detection capabilities. Additionally, system owners and
management will be apprised of the execution and progress during this
phase.
4.4.4 ERADICATION
Based on current research and analysis available, there is no current
way to thoroughly clean a compromised system and be completely
certain of the system’s integrity. As such, the eradication phase
requires a full disk wipe and reimage of the system. The following
steps will be conducted to eradicate Shady RAT infections:
 Wipe system drive(s)
 Re-image systems/restore from backups
 Patch/harden Systems

 Install Anti-Virus, Anti-Malware, Host Intrusion Detection System
(HIDS)
Care must be taken when re-imaging and/or restoring systems from
existing system images and backups. If the integrity of the backups or
system images is in question, a full re-installation of the systems and
applications from original media may be necessary. It is also important
to fully patch and harden the operating systems as well as install
enterprise Anti-Virus and AntiMalware packages to help mitigate future
compromise. Current analysis by Symantec has indicated that their
antivirus solution provides protection within their Trojan. Downbot
family signatures against common threat vectors used by Shady RAT
during the initial exploitation phase. Additionally, Symantec’s
reputation based technologies can also be leveraged to proactively
protect systems against the common files used in these attacks Host
Intrusion Detection Systems such as OSSEC will also be installed to
detect and correlate potential attacks and identify attack vectors for
increased incident response capabilities in the future.
4.4.5 RECOVERY
Once the eradication phase has been completed, the recovery phase
will be initiated. This phase returns the once compromised systems
back to their normal state and function. The recovery phase will consist
of the following:
 Validate systems function normally
 Restore operations/accessibility to systems
 Monitor systems using: ○ Network IDS ○ Host-based IDS ○
System log monitoring
Monitoring of remediated systems during this phase is critical to
determining if the incident has been completely mitigated or if there
are still undiscovered attack vectors that allow for system compromise.
Baselines should be taken and any anomalous traffic should be fully
investigated in order to identify if additional remediation is required.

4.4.6 LESSONS LEARNED
The final phase of the incident response plan will be to hold a Lessons
Learned meeting with the IH and Detection tiger team. During this
meeting any insights gained during the incident response plan
execution can be distributed through the team members in order to
increase the incident response capabilities of the team. The
information and insights from these meetings will be used to initiate
improvements to technology, processes and the incident handling
capabilities of the response teams. A final formal report of all weekend
incident response activities will be created and distributed to system
owners and management for review.

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

4.5 INFOGRAPHICS
Demographics of Japan
Population 126.4 million (2020)
Labor Force 68.7million
GDP nominal $4,872,415,104,315
(2017)
Unemployment rate 2.97% approx.
Literacy rate 99%
Land Area 364,555 km²
Sources: https://www.theguardian.com/world/2013/oct/08/why-do-japanese-children-lead-world-numeracy-
literacy#:~:text=Japan's%20approach%20%E2%80%93%20rote%20learning%20accompanied,is%20frequently
%20put%20at%2099%25.
https://www.worldometers.info/demographics/japan-demographics/
https://worldpopulationreview.com/countries/japan-population
Comparison of Internet Usage Statistics
No. of internet Users in
Japan
116.5 million (2020)
% of internet users in Japan 92% (2020)
No. of internet Users in
Australia
22.31 million (2021)
% of internet users in
Australia
88% (2021)
Sources: https://prosperitymedia.com.au/australian-internet-statistics/#:~:text=Datareportal%20reports%20that%3A,at%2088%25%20in
%20January%202021.
https://www.internetlivestats.com/internet-users/japan/

Cost/Expenditure
InfoSec Cost Elements in
Japan
$$
Data breaches 4.19 million (2020)
Malware attacks 1.17 million (2020)
Security Training 1 billion approx.
( announced
budget 2021)
Cyber security tools 6 billion (2020)
Sources: https://thediplomat.com/2020/12/japanese-companies-fall-victim-to-unprecedented-wave-of-cyber-attacks/
https://www.dataendure.com/wp-content/uploads/Cost-of-a-Data-Breach-Report-2020.pdf
https://www.mod.go.jp/en/d_act/d_budget/pdf/210331a.pdf
https://www.statista.com/statistics/965140/japan-information-security-tool-products-market-size/
Statistics on top security attacks in that Japan
Attacks list No. of Attacks
observed
DDOS Attacks 10 million (2021)
Ransomware attacks 143
Malware attacks 1644016 ( 19/07/2021
stats)
Sources: https://www.netscout.com/blog/japan-under-attack
https://www.blackfog.com/the-state-of-ransomware-in-2021/#Ransomware_Attacks_by_Country
https://www.itgovernance.co.uk/blog/list-of-data-breaches-and-cyber-attacks-in-april-2021
https://www.avira.com/en/threat-landscape/details/jp
The Three Cybersecurity Challenges
Based on the research and the statistics above, following are the 3 major
challenges WA Oil and Gas Inc. may be facing;
1. Insufficient Investment
In 2021 the proportion of the budget assigned to cyber security spending
is set to rise to JP¥30.1 billion, an increase of almost JP¥5 billion, though
one which will still not see spending on cyber rise to 1% of the budget.
Importantly, the Ministry of Defence intends to consolidate Japan’s cyber
security infrastructure by abolishing the C4SC and expanding the Cyber

Defence Group to 540 personnel. Cyber personnel from other branches of
the JSDF will be transferred to the Cyber Defence Group as part of this
reorganisation; in the long term this reform is likely to enhance the co-
ordination of Japan’s response in the event of a cyberattack.
2. Legal Hurdles
Challenges to Japan’s cyber forces also arise from the country’s laws and
constitution. Firstly, Article 21 of Japan’s constitution states that ‘the
secrecy of any means of communication [shall not] be violated’, ostensibly
placing limitations on the ability of the state and Internet service providers
to analyse packet communication.
Secondly, Article 22 of the Self-Defence Force Law raises an issue for the
JSDF’s goal of building a ‘multi-dimensional’ ( 多多多 ) defence capability.
Article 22 specifies a limited range of missions for which special units
combining forces from the three SDF branches can be established on a
long term basis. Cyber security falls outside the purview of that Article
and so the JSDF is legally permitted only to establish a multi-domain task
force incorporating cyber defence forces on a temporary basis.
3. Narrow Scope
The scope of Japan’s cyber defence aspirations may not be wide enough
to protect the country against cyber threats. Currently, the Cyber Defence
Group is tasked solely with response to attacks against the JSDF’s own
systems, not with the defence of other critical public or private
infrastructure.
4.6 REFERENCES
Revealed: Operation Shady RAT, Dmitri Alperovitch, Vice President, Threat
Research, McAfee
https://www.mcafee.com/enterprise/en-us/resource-library.html

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Twenty Critical Security Controls for Effective Cyber Defense: Consensus
Audit Guidelines (CAG), Version 3.0
https://www.sans.org/blog/cis-controls-v8/
Windows Incident Response, APT and Frequency of Least Occurrence:
http://windowsir.blogspot.com/2010/01/thoughts-on-apt.html
NIST Special Publication 800-61:
http://csrc.nist.gov/publications/nistpubs/800-61-

1 out of 32

Your All-in-One AI-Powered Toolkit for Academic Success.

+13062052269

info@desklib.com

Available 24*7 on WhatsApp / Email

Company

Tools

Support