Information Assurance

CS-465/565 Information Assurance

Project

Dr. Chuck Cartledge

December 31, 2022

Contents

List of Figures 1

1 Introduction 1

2 Background 2

3 Assignment 2

4 Deliverable 4

5 References 7

List of Figures

1 The process of risk management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2 Never under estimate human errors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

1 Introduction

“Information assurance is ensuring that your information is where you want it, when you want it, in the condition that you need it and available to those that want to have access to it – but only them.”

Blyth and Kovacich [3]

You will be taking on the role of Chief Information Assurance Officer (CIAO) in a small manufacturing company ABC Inc. Recently ABC’s internal network was compromised and administrative and financial operations were curtailed for a few weeks. You have been tasked with creating a set of information assurance (IA) policies and procedures to reduce the risk of company disruption and of internal proprietary information being compromised again. Your initial deliverable will be a report about what happened, some of the apparent consequences of the breach, and policies and procedures to be put in place to reduce the likelihood of future incidents.

2 Background

ABC is a manufacturing company employing approximately 1,000 people. It has a logically segmented network with financial, and administrative on one segment, and engineering and manufacturing processes on another segment. The administrative segment can be thought of as the information technology (IT) side, and the engineering and manufacturing segment can be thought of as operational technology (OT). Both share a common infrastructure, connected by a custom enterprise resource planning (ERP) system. The IT segment is responsible for the accounts receivable and accounts payable aspects of the company (essentially those functions that control the flow of money into and out of the company). Employees have personalized e-mail addresses to facilitate both internal and external communications. ABC was subject to a ransomware threat, and was unable to bill its customers, or pay its vendors for 3 weeks.

In house technical support staff was anxious to restore, or recreate a working infrastructure, but upper management decided it would be faster and more through to bring in experts. Outside cyber-security support was brought in to help resolve the situation.

A post-mortem investigation revealed an administrative support employee received an e-mail from what appeared to be a valid source with an Excel spreadsheet attachment. Within 4 minutes of opening the spreadsheet a version of a Zloader[2] began harvesting logins and passwords. Three weeks passed between the time Zloader was installed, and the financial and administrative system was locked down with ransomware demands. The presence of Ryuk[6] ransomware related files were found on more than 40 computers on the ABC IT network. The engineering segment and the manufacturing programmable logic controllers (PLC) activities were not apparently impacted1.

With the support of the cyber-security organization, all suspicious, or compromised files were removed from ABC’s network, computers, servers, and backups, and full company activities resumed.

3 Assignment

As the incoming CIAO, you are tasked with writing a detailed report about the incident, its consequences, and detailed measures to prevent a recurrence. With that in mind:

1. Assume that this report will be submitted to your new boss. Your continued employment depends on the objectivity, and thoroughness of your investigation.

2. With self preservation in mind; there should be:

(a) A summary of what happened.

(b) A background section outlining ABC’s commercial responsibilities, intellectual properties, strate- gic and corporate alliances, and a discussion of the strengths and weaknesses of the network infrastructure.

(d) A vulnerability assessment of the company’s assets and ability to function (i.e., perform services, charge for services, receive payment for services, and pay for services). Label each as to whether they are critical, essential, or ancillary to the company’s operation. Remember the goal of IA is the assurance of services, including: • integrity, • availability, • confidentiality, and • non-repudiation.

(e) A threat matrix risk based based on your vulnerability assessment (see Figure 1).

(f) A recommended company communications plan (make sure to address both internal and external communications).

(g) How will you ensure that it won’t happen again?

Figure 1: The process of risk management. Figure from [3].

The report is for ABC internal use only, and deals strictly with IA issues. The content of internal and external data and communication, and how such things were used, is not part of the report.

Because this is a fictionalized company based on real experiences, not all data will be available at the time of the report, you may use a certain amount of creative license when writing the report. Be sure to cite things that are available via a reference, this includes books, publications, blogs, etc. Keeping in mind that each type of reference is formatted differently. Where you believe there are blanks in the citable references, you may be creative about filling them in. Your creativity should be bounded by reasonableness, possibility, and state of the art practicality. The COVID-19 pandemic has made IA especially vexing[4]. Your recommendations need to address “working from home.”

“Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn’t.”

M. Twain [7]

Be sure to couch your recommendations using the risk management ideas from chapters 3 and 11 of the text, recognizing that human error (see Figure 2) is a real and always present danger.

4 Deliverable

CS-465/565 is a senior/graduate student course. As such, the expectation is that you are capable of producing senior/graduate level work products. The course project is one of those work products.

The current paper formatting instructions say the references (and by association the citations) should be in either American Psychological Association (APA), or Modern Language Association (MLA) style. The instructions do not explicitly talk about the rest of the paper. The rest of the paper should be in the same style (APA, or MLA) as the references and the citations. Either APA, or MLA is acceptable. Each comes with its own set of recommendations for page layout, headers and footers, line spacing, page numbering, font selection, and the simple things of citations and references.

Here are some general places to look for information about the different styles:

• APA: http://www.easybib.com/guides/citation-guides/apa-format/

• MLA: http://www.easybib.com/guides/citation-guides/mla-format/

Here are some general words about different word and text processors relative to APA and MLA:

• LATEX has APA and MLA packages See these sites for packages:

– https://ctan.org/pkg/apa?lang=en

– https://ctan.org/pkg/mla?lang=en

• LibreOffice writer does not appear to have APA, or MLA templates installed by default. See these sites for templates:

– https://extensions.libreoffice.org/templates/apa-6th-edition

– https://extensions.libreoffice.org/templates/mla

• Word has APA and MLA built-in styles for references and citations. See these sites for templates:

– https://templates.office.com/en-us/MLA-style-research-paper-TM03984841

1PLCs were the target of the Stuxnet worm.

http://www.easybib.com/guides/citation-guides/apa-format/

http://www.easybib.com/guides/citation-guides/mla-format/

https://ctan.org/pkg/apa?lang=en

https://ctan.org/pkg/mla?lang=en

https://extensions.libreoffice.org/templates/apa-6th-edition

https://extensions.libreoffice.org/templates/mla

https://templates.office.com/en-us/MLA-style-research-paper-TM03984841

– https://templates.office.com/en-us/APA-style-report-6th-edition-TM03982351

The report must be submitted as a PDF, and needs to meet the following physical and logical require- ments:

1. Between 10 – 15 pages (not including front matter, back matter, or figures from other sources). Front matter includes things like title page, Table of Contents, List of Tables, List of Figures, etc. Back matter includes things like references or appendices.

2. Minimum page counts:

• CS-465 students – 10 pages

• CS-565 students – 15 pages

3. If you include tables or figures, then they must be referenced in the text. Remember that tables and figures need captions, and that the captions show up in the front matter. Captions can be as long or large as necessary, but long captions should not show up in the table of contents. (For those of with a LATEX bend, you might want to check out the optional argument to the caption macro.)

4. Use your word, or text processor to create the front and back matter. It is easy to tell when someone has tried to do it by hand, so please don’t.

5. You can use whatever resources you feel are appropriate, just be sure to cite them.

6. Spell out abbreviations before using them.

7. Be consistent when capitalizing acronyms (Arm 6= ARM).

8. Spell check, spell check, and then spell check again.

9. If your word or text processor does not save files natively as PDFs (meaning that you have to “export”, or “print” them), be sure and look at the file in an external reader (Adobe Acrobat is probably the best). Not all internet browsers implement all aspects of the PDF specification, so check your product with a real reader to see what it looks like.

10. Be sure to address each of the line items identified in the Assignment section, and make it easy for me to find them. A suggestion is to have each item be a section or chapter that stands proud in the Table of Contents.

11. It is very easy to “jigger” the page count by “diddling” the font size, the font type, line spacing, and what not. Please don’t do any of those silly things, it won’t help. One of the first things that I will do with your PDF is run it through a command like this:

echo ‘‘scale=2; p̀dftotext project.pfd – | wc -ẁ / 250’’ | bc

which will extract the text from the PDF file, and then count the number of words in the file. Assuming there are approximately 1,000 characters per double spaced page, and that a word has on average 4 to 5 characters, then there should be about 200 and 250 words per page. Tossing out some of those words for the front and end matters, gives a range of words (and pages) in the PDF.

https://templates.office.com/en-us/APA-style-report-6th-edition-TM03982351

Figure 2: Never under estimate human errors. A human will find a way to thwart the best laid plans (figure from [5]). “Never underestimate the power of human stupidity.” from [1].

5 References

[1] Robert a Heinlein, Time Enough for Love, G. P. Putnam’s Sons, 1973.

[2] Greg Belding, Zloader: What it is, how it works and how to prevent it, https://resources.

infosecinstitute.com/topic/zloader-what-it-is-how-it-works-and-how-to-prevent-it-

malware-spotlight/, 2020.

[3] Andrew Blyth and Gerald Kovacich, Information Assurance, Security in the Information Environment, Springer-Verlag Ltd, London, 2006.

[4] Sean Gallagher, Dr. Strangenet – or, how i stopped worrying and embraced the WFH IT apocalypse, https://arstechnica.com/features/2020/11/future-of-collaboration-03/, 2020.

[5] John Klossner, Untitled, http://www.jklossner.com/humannature/

wktpnx3p7sqi73aj18g1fglmbswg92, 2006.

[6] Malwarebytes Staff, Ryuk ransomware, https://www.malwarebytes.com/ryuk-ransomware, 2021.

[7] Mark Twain, Following the equator: a journey around the world, Harper & Brothers, 1903.

https://resources.infosecinstitute.com/topic/zloader-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/

https://arstechnica.com/features/2020/11/future-of-collaboration-03/

http://www.jklossner.com/humannature/wktpnx3p7sqi73aj18g1fglmbswg92

https://www.malwarebytes.com/ryuk-ransomware