SRA 440W Phase 2: Design Phase Proposed Alternative Solutions Group 4: SHREK

SRA 440W
Phase 2: Design Phase
Proposed Alternative Solutions
Group 4: SHREK INC.
Design Alternative Solution
Introduction
SHREK Inc. is dedicated to fulfilling the needs of Service Provider in the areas of Information Security Policies and Training, Compliance and Insider Threat Mitigation, as well as the tracking of both local and remote users’ productivity and system usage. We plan to do this with specifically designed training and policies to address most issues, however as an alternative, we will also present Commercial Off the Shelf options that may provide the bare minimum of what is needed but may not be as customizable as Service Provider would desire.
Summary of problems you are investigating.
As stated in the previous section, SHREK Inc. will be addressing Security Policies and Training. This will cover a written set of approved policies covering how employees should interact with company IT assets to ensure the highest level of system confidentiality, integrity, and availability. SHREK Inc will also provide a comprehensive training program in both written and computer-based training commensurate with the employees’ level of need to know. SHREK Inc. will also be addressing Compliance and Insider Threat mitigation. This will allow Service Provider to maintain compliance on local, state and federal levels. This will also help Service Provider mitigate, detect, and neutralize insider threats. Lastly, SHREK Inc. will be addressing the tracking of both local and remote users on the system. This specific area will be a 3rd party Commerical Off the Shelf system that will provide Service Provider with the ability to track usage of Service Provider assets by in-house and remote users. We aim to provide a customized set of solutions to both security policies and training and compliance and insider threat mitigation but will give recommendations of available Commerical Off the Shelf alternatives to both solutions.
Goals and Objectives
SHREK Inc.’s goal and objective is to have pre-stated deliverables and alternatives to Service Provider within the previously agreed upon time frame and within the previously agreed upon budget.
Summary of your proposed approaches and available 3rd party solutions
Shrek Inc. has provided four alternatives to Information Security Policies and Training and Compliance and Insider Threat Mitigation, two COTS (Commercial off the Shelf) options and two custom-tailored purpose-built options from SHREK Inc. We have also provided two third-party solutions in the area of tracking local and remote employee system usage and timekeeping
3rd Party Solutions
Solution Problem 1 Information Security Policies and Training
Solution 1
Alterity Solutions, Inc. will provide monthly training to reinforce the need for and processes of a good cyber security program. These training sessions come in a variety of formats so that those that have different learning styles and schedules have the flexibility to learn in a style that best suits them. These sessions also contain knowledge checks to aid management with tracking and validating learning and completion of learning modules. Alterity Solutions assesses the customers’ requirements and reporting needs and proceeds to offer a strategy to implement defined strategies to help ensure a successful adoption of the overall information security program.
Solution 2
ESET Cyber Security Awareness Training supplies a 90-minute online training program that would cost SHREK Inc. $875.00 for fifty employees. This cyber security awareness training would accommodate employees that are working remotely. The ability to do this training online will make it easier to accomplish having all employees complete the training. The training isn’t the typical type of mundane, repetitive training. This training uses games that engage and change the attitudes of the employees participating. One major benefit to having this solution is that it provides a phishing simulator to test the employees. Along with testing employees to make sure they aren’t falling victim to phishing scams, the employer also has access to a dashboard to track employees’ learning status. Finally, completing this 90-minute course will provide the employee with a Certification & LinkedIn badge.
Comparison between Solution 1 and Solution 2
Evaluation Criteria
We looked at the relevance to Company goals, customized training, and the time invested by each employee in the program to determine the solution that best fit Service Providers needs. These criteria and weights are shown in Table 1.
Weighted Ranked List
Information Security Policies and Training
weight
Alterity
ESET
Relevance
0.3
x
invested employee time
0.2
x
customized training
0.5
x
1
1
0
Table 1
Recommendations
The amount of time invested per employee interaction with Alterity Solutions, and the amount of continued education with Alterity Solutions where ESET is more of a one and done, check the box that your employees have had the training with no real investment in security training along with the relevance to your business with Alterity Solutions being able to customize an ongoing training plan and ESET being a more generic cookie cutter training would lead us to recommending Alterity Solutions.
Solution Problem 2 Compliance and Insider Threat Mitigation
Solution 1
Threat Defense Group (TDG) provides insider threat detection and mitigation as well as management training. Based on real-world experience (10+ years) helping the U.S Government (Department of Defense, Intelligence Community) and businesses develop robust and effective Insider Threat Programs (ITP). The company would spend $1295 per person for anyone that has a position in upper management. This is because there is additional training in legal guidance. For program development training, which is web based, it would cost $695 per person. This would be training for the Threat Detection, Prevention and Mitigation Team.
Solution 2
Insider Threat Management Group (ITMG) provides consulting, assessment of current assets configuration and needs, training in all areas concerned and even contract staffing if desired and legal advice if the need arises.
Comparison between Solution 1 and Solution 2
Evaluation Criteria
We looked at the ability of each option to meet all of Service Providers needs in these areas as well as the credibility of each vendor to decide on the best option for Service Provider. These criteria and weights are displayed in Table 2.
Weighted Ranked List
Compliance and Insider Threat Mitigation
weight
ITMG
TDG
Ability to meet all of Service Providers needs
0.3
x
Credibility
0.7
x
x
1
1
0.7
Table 2
Recommendations
Threat Defense Group training (TDG) provides flexibility and credibility. The training is thorough and there are several different consulting services from insider threat program consulting services, insider risk assessment services, and insider threat mitigation solutions and services. The ITMG program covers program development, technical consulting, strategic advising and legal & privacy concerns that may arise during the installation of a program of this type. They also offer a complete insider risk assessment along with baseline measurables, training and contract staffing in the areas of analysis of data and investigation. Both companies are experts in their field, both are well respected in the area of insider threat mitigation and either would be a good option for this problem; however, we would recommend the Insider Threat Management Group as shown in Table 2 because they offer contract staffing if desired in the areas of analytics and investigation. Additionally, on average, companies who must deal with an insider incident spend over $644,000 per incident and it takes approximately two months to contain it. (ITMG)
Solution problem 3 Tracking of Local and Remote Employees
Solution 1
Email Analytics is a valuable way to keep track of remote employees as email is the primary way of communication for employees working from remote locations. This remote employee monitoring program also provides time trackers as well as activity trackers
Solution 2
The Insightful program offers employee productivity monitoring and automatic time keeping.
Comparison between Solution 1 and Solution 2
Evaluation Criteria
For this solution we looked at the areas the software would be tracking and the ease of integration into Service Providers’ already existing IT infrastructure. These criteria and weights are displayed in Table 3.
Weighted Ranked List
Tracking of Local and Remote Employees
weight
Email Analytics
Insightful
Areas of tracking
0.6
x
Ease of integration
0.4
x
x
1
1
0.4
Table 3
Recommendations
We would recommend using Email Analytics shown in Table 3 as a solution to this issue as it best covers all areas of need. Email monitoring, activity tracking and time tracking.
Proposed (Non-COTS) Solutions
Solution problem 1 – Information Security Policies & Training, problem
Solution 1
The purpose of this company wide security program is to design a program to ensure the integrity, availability and confidentiality of SHREK Inc information assets from unauthorized access, loss or any kind of damage while supporting company operations. To ensure that these requirements are met there must be a policy and training plan in place. The first solution will be to have classroom training in place on a quarterly basis. Quarterly should be more than enough training to ensure that the employees are always up to date with the threats on the outside. There will be a one-day class where the instructor will update them on the cyber world and conduct training on how the employees should react to suspicious emails and how to prevent loss of data.
Solution 2
The purpose of this company wide security program is to design a program to ensure the integrity, availability and confidentiality of SHREK Inc information assets from unauthorized access, loss or any kind of damage while supporting company operations. To ensure that these requirements are met there must be a training plan in place. The second solution would be to have a self-paced course for the employees to conduct within the calendar quarter system. The first training program will be through the computer through a virtual training program where the employee will answer questions as a fictional SHREK Inc worker where they will make decisions on how to make the best cyber security practices. Next would be an email program in place where the company will send out “fake” emails that will include a link. This is essentially a test for the employees to see how they react to these emails. The first test will be if they click on the suspicious email at all. And if they open it if they click on the link within it. This will notify the training department and they will be required to take extra training to ensure they watch out for these spam emails with possible malware or ransomware in them.
Comparison between Solution 1 and Solution 2
Solution 1
With these two recommendations this will be cheaper to conduct these internally with the company. Anywhere from $395 to $695 per employee. There is cost effectiveness here and it could be more convenient with solution 2 as well.
Weighted Ranked List
Cost effective, time saving
Solution 2
Both of these recommendations will have a positive outcome. However, the main recommendation for this company is solution 2 because the employees can work at a self-pace during their lunch or when they have downtime. Where solution 1 will require them to be out of the office and there could be a loss of potential work.
Solution problem 2 – Compliance and Insider Threats
Solution 1
Compliance and insider threat refers to a cyber security danger that emanates from inside a company. An employee or contractor, vendor or partner, who has valid user credentials, may abuse their access to the organization’s networks, systems and data in order to gain an unfair advantage. Intentional or accidental, an insider danger may cause harm and does not matter what individuals are trying to do; the ultimate consequence is compromised data and systems. The majority of data breaches are the result of attacks from inside. In the fight against insider threats, there are a variety of solutions that can be adopted at SHREK. First system hardening is one of the only real ways to keep systems safe by using Continuous File Integrity Monitoring and Continuous Configuration Hardening Assessment and Reporting. The best practices we will implement may be hardened by using checklists such as the CIS Benchmarks. A more targeted source of best practices for appliance and network device vulnerability mitigation is manufacturer-provided checklists (Chen et al., 2022). It’s important to keep in mind that, despite the variety of checklists and jargon used, there is only one method to really harden any given system. Hardening measures suited for your environment, balancing operational and functional sacrifices, are more essential than monitoring for any deviations from the norm established by the business.
Solution 2
Another solution is checking all the loopholes for insider threats. As previously stated, privileged accounts are attractive to insiders because of their high value. An advantaged access management monitoring strategy is essential for enterprises to monitor access to privileged accounts in your SIEM. Instances of numerous unsuccessful logon attempts or attempts made outside of typical business hours will be flagged by user behavioral analytics and sent to a security analyst for further investigation (Al-Mhiqani et al., 2022). The usage of Windows and Linux object level auditing inside the SIEM may help monitor sensitive data regions to identify who has accessed what data in the company. Using correlation and alarms, security analysts may look and decide whether to retain the information for future examinations. Both solutions aim to provide security for the company’s data. System hardening and managing loopholes both have one interest which is to ensure that the company’s data is protected. Whereas system hardening ensures that hackers and other threats find it hard to access information, managing loopholes aims at repairing all the vulnerabilities in the system to avoid threats.
Comparison between Solution 1 and Solution 2
In contrast to solution 1 and 2, the first solution which is system hardening, the company decided to use the Continuous File Integrity Monitoring and Continuous Configuration Hardening Assessment and Reporting which makes sure that the data base is protected against any outside invasion. By using the system, the company is sure of their protected system. In contrast, the second solution uses the Windows and Linux object level which ensures that all the persons who accessed the data are enlisted ensuring that they keep track in case of any information leakages. In general, both solutions aimed at ensuring that the system was reliable and protected from external forces that may try accessing their private data all while being able to maintain these practices directly in house.
iv. Criteria Weighted Ranked List & Recommended actions
The criteria used to come up with a substantial solution were based on relevance, coherence, sustainability, efficiency, effectiveness and impact. The solutions proposed were relevant to the proposed problems, hence solving the presented problems. Similarly, the solutions were sustainable to the company because the company could rely on them to achieve the required changes. In terms of efficiency, the company had first tested the validity of the solutions before implementing them, hence making the solutions workable. It is evident that the solutions were also coherent because they were in line with the visions and goals of the company. The company ensured that the employees were trained on the solutions to establish a strong and long-lasting impact.
Conclusion and Future Directions (everyone)
As employees of SHREK Inc, it is of the utmost importance that we fulfil the needs of our Service Provider. We will first look at 3rd Party Solutions (COTS) to potentially assist in fulfilling these needs. The first need we will be addressing is Security Policies and Training. Firstly, to maintain Information Security Policies and Training two solutions have been considered. Alterity Solutions, Inc, will provide monthly training to reinforce the need for and processes for a good cyber security program. This company will assess the customers’ needs and will offer a strategy to implement to ensure a successful transition to this newfound security program. The second solution is a 90-minute online training program provided by ESET Cyber Security Awareness Training. This is online training that will quickly attain the requirements necessary for employees, as it is easy to access and a rapid training. It is recommended that the Service Provider utilizes Alterity Solutions as it implements a long-lasting training plan whereas ESET has no real investment with a one and done mentality. The next issue that is necessary to redefine is Compliance and Insider Threat Mitigation. Threat Defense Group is an insider threat detection and mitigation company that also conducts management training. This training offers two levels providing legal guidance training for upper-level employees and regular program development web training for the threat detection, prevention, and mitigation team. The alternative to this third-party solution is Insider Threat Management Group which provides consulting, assessment, training and even contract staffing if needed. As Threat Defense Group can meet all of Service Provider’s needs, as well as credibility due to their past employment for the Department of Defense, we recommend that this is the company utilized. The third and final issue for third party solutions is Tracking of Local and Remote Employees. Email Analytics is a company that provides a valuable method of tracking employees. Through utilization of a remote employee monitoring program through email, the program tracks time and activity. The alternative solution for this issue is Insightful, a program that offers employee productivity monitoring and automatic time keeping. As email analytics provides more areas of tracking, and its ease of integration is higher, we recommend that email analytics is employed into the daily practices of Service Provider.
To provide further alternative approaches for solving these business problems, not including Tracking of Local and Remote Employees, we will be looking at Proposed (Non-COTS) solutions. The initial problem the Service Provider is facing is Information Security Policies & Training. The first proposed solution to this is a companywide security program designed to ensure the integrity, availability, and confidentiality of information assets. Policies and training will be implemented through classroom training occurring on a quarterly basis. This will ensure up-to-date practices for the employees, giving training on prevention of loss of data, suspicious emails, etc. The alternative solution to this is a self-paced course for employees to carry out within the calendar quarter system. This solution includes an initial virtual training program answering questions on cyber security practices, and secondary testing of fellow employees through suspicious emails. Additional training will be given to those that fail these practices. Although both solutions will have low cost and positive outcomes, we recommend that Solution 2 be implemented as employees will be able to work at their own pace with real world application tests. The second issue we must protect against is Compliance and Insider Threats. The initial solution for this issue is system hardening, which is a practice to keep systems safe using Continuous File Integrity Monitoring and Continuous Configuration Hardening Assessment and Reporting. Checklists such as the CIS Benchmarks will be utilized within this practice to assess deviations from the norm established by the company. The second alternative solution to Compliance and Insider Threats is cracking down on the loopholes for insider threats. Accounts with access to company items of value showing numerous failed attempts, or after-hour login attempts, will be flagged by user behavioral analytics and sent to a security analyst for further investigation. It is recommended that solution one of system hardening is utilized to protect against the Compliance and Insider threats ensuring the protection of valuable company data.
These proposed Non-COTS Solutions will be useful in the next phase of this project. As we will be further designing a complete proposed solution for the two business problems it is necessary to begin designs for these solutions. Without prior thought and knowledge of non-COTS solutions it would have been a heavier task to create an effective plan. As we have designed pertinent non-COTS solutions to protect against these two business problems, when further developing these solutions in the next phase of this project, we will be able to dive deeper into these solutions more efficiently.
References
Chen, Q., Zhou, M., Cai, Z., & Su, S. (2022, April). Compliance Checking Based Detection of Insider Threat in Industrial Control System of Power Utilities. In 2022 7th Asia Conference on Power and Electrical Engineering (ACPEE) (pp. 1142-1147). IEEE.
Al-Mhiqani, M. N., Ahmad, R., Abidin, Z. Z., Abdulkareem, K. H., Mohammed, M. A., Gupta, D., & Shankar, K. (2022). A new intelligent multilayer framework for insider threat detection. Computers & Electrical Engineering, 97, 107597.
Joseph, M. A. (2021, July 1). Digital Forensics is ready for its most recent challenge: IoT Forensics. Https://Www.Linkedin.Com/Pulse/Digital-Forensics-Ready-Its-Most-Recent-Challenge-Iot-Joseph. https://www.linkedin.com/pulse/digital-forensics-ready-its-most-recent-challenge-iot-joseph
Cybersecurity Awareness Training. (n.d.). ESET. https://www.eset.com/us/cybertraining/
Insider Threat Mitigation Training & Services. (2021, September 21). Insider Threat Defense Group. https://www.insiderthreatdefense.us/
Home. (2018, September 19). Insider Threat Management Group. https://www.itmg.co/
EmailAnalytics. (2022, June 2). Email Analytics: Visualize your team’s email activity in Gmail & Outlook. https://emailanalytics.com/
Insightful. (n.d.). Employee Monitoring Software with Time Tracking. https://www.insightful.io/
1
Revised by Dr. Rizvi