Description Your boss wants you to draft a two- to three-page vulnerability process and assessment ...

---

Description Your boss wants you to draft a two- to three-page vulnerability process and assessment memorandum addressing the main points of a VM process for Mercury USA. You will cover the main elements of a vulnerability management process, tailored to Mercury USA's business in the transportation sector, evaluate the OpenVAS scanning tool, and provide recommendations for mitigating the vulnerabilities found within the OpenVAS report. The third-party pen tester used the free tool Open Vulnerability Assessment Scanner (OpenVAS) to scan Mercury USA’s network. Review the report from the OpenVAS Scan. As you review the scan, consider some important points from Lesson 5.6, Remediation: Priority Difficulty of implementation Communication/change control Inhibitors to remediation MOUs SLAs Business process interruption Degrading functionality Please see the attached documents for MORE details. 3 attachments Slide 1 of 3 attachment_1 attachment_1 attachment_2 attachment_2 attachment_3 attachment_3 UNFORMATTED ATTACHMENT PREVIEW Turnitin® This assignment will be submitted to Turnitin®. Instructions Your boss wants you to draft a two- to three-page vulnerability process and assessment memorandum addressing the main points of a VM process for Mercury USA. You will cover the main elements of a vulnerability management process, tailored to Mercury USA's business in the transportation sector, evaluate the OpenVAS scanning tool, and provide recommendations for mitigating the vulnerabilities found within the OpenVAS report. The third-party pen tester used the free tool Open Vulnerability Assessment Scanner (OpenVAS) to scan Mercury USA’s network. Review the report from the OpenVAS Scan. As you review the scan, consider some important points from Lesson 5.6, Remediation: • • • • Priority Difficulty of implementation Communication/change control Inhibitors to remediation o MOUs o SLAs o Business process interruption o Degrading functionality How Will My Work Be Evaluated? An important part of your duties as a cybersecurity analyst will involve analyzing data from multiple sources and sensors such as antivirus/antimalware scanners, firewalls, insider threat monitoring systems, intrusion detection/prevention systems, SIEMs, vulnerability scanners, web application scanners, and other tools. You will also process logs from applications, auditing, network infrastructure devices, internet of things (IoT) devices, mobile communications devices, printers, servers, security appliances, and generalized logging collectors like syslog and Windows Event Logs. As a cybersecurity analyst, you will be considered the subject matter and technical expert. A large part of your work will focus on identifying, analyzing, and mitigating vulnerabilities. For this assignment, you are asked to provide your supervisor with a technical evaluation of the organization’s vulnerabilities and propose a vulnerability management process. By summarizing your results in a short memorandum, you are showing how you use your technical knowledge to convey your ideas to others in a professional setting. Your ability to express your findings using the right mix of technical detail in a business context using an accepted format is an important workplace skill. The following evaluation criteria aligned to the competencies will be used to grade your assignment: • • 1.1.1: Articulate the main idea and purpose of a communication. 1.3.1: Identify potential sources of information that can be used to develop and support ideas. • • • • • 1.4.1: Produce grammatically correct material in standard academic English that supports the communication. 10.1.1: Identify the problem to be solved. 10.1.2: Gather project requirements to meet stakeholder needs. 12.1.2: Formulate policies, processes, and procedures based upon identified business needs. 12.2.1: Identify systems for the risk assessment. You will use this report to write a two- to three-page memorandum for your manager, Judy. Follow the instructions in the VM Process Overview Template to record your work. Delete the instruction text before you submit your project. When you are finished, click “add a file” to upload your work, then click the Submit button. Scan Report April 7, 2020 Summary This document reports on the results of an automatic security scan. All dates are displayed using the timezone Coordinated Universal Time, which is abbreviated UTC. The task was Immediate scan of IP 192.168.1.10. The scan started at Tue Apr 7 01:38:24 2020 UTC and ended at Tue Apr 7 01:41:26 2020 UTC. The report ?rst summarises the results found. Then, for each host, the report describes every issue found. Please consider the advice given in each description, in order to rectify the issue. Contents 1 Result Overview 2 2 Results per Host 2 2.1 192.168.1.10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 2.1.1 High 445/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 2.1.2 High general/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.1.3 Medium 135/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.1.4 Low general/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 1 2 RESULTS PER HOST 1 2 Result Overview Host High Medium Low Log False Positive 192.168.1.10 2 1 1 0 0 Total: 1 2 1 1 0 0 Vendor security updates are not trusted. Overrides are on. When a result has an override, this report uses the threat of the override. Information on overrides is included in the report. Notes are included in the report. This report might not show details of all issues that were found. It only lists hosts that produced issues. Issues with the threat level Log are not shown. Issues with the threat level Debug are not shown. Issues with the threat level False Positive are not shown. Only results with a minimum QoD of 70 are shown. This report contains all 4 results selected by the ?ltering described above. Before ?ltering there were 15 results. 2 2.1 Results per Host 192.168.1.10 Host scan start Tue Apr 7 01:38:44 2020 UTC Host scan end Tue Apr 7 01:41:26 2020 UTC Service (Port) Threat Level 445/tcp High general/tcp High 135/tcp Medium general/tcp Low 2.1.1 High 445/tcp High (CVSS: 9.3) NVT: Microsoft Windows SMB Server Multiple Vulnerabilities-Remote (4013389) Summary This host is missing a critical security update according to Microsoft Bulletin MS17-010. Vulnerability Detection Result Vulnerability was detected according to the Vulnerability Detection Method. . . . continues on next page . . . 2 RESULTS PER HOST 3 . . . continued from previous page . . . Impact Successful exploitation will allow remote attackers to gain the ability to execute code on the target server, also could lead to information disclosure from the server. Solution Solution type: VendorFix The vendor has released updates. Please see the references for more information. A?ected Software/OS Microsoft Windows 10 x32/x64 Edition Microsoft Windows Server 2012 Edition Microsoft Windows Server 2016 Microsoft Windows 8.1 x32/x64 Edition Microsoft Windows Server 2012 R2 Edition Microsoft Windows 7 x32/x64 Edition Service Pack 1 Microsoft Windows Vista x32/x64 Edition Service Pack 2 Microsoft Windows Server 2008 R2 x64 Edition Service Pack 1 Microsoft Windows Server 2008 x32/x64 Edition Service Pack 2 Vulnerability Insight Multiple ?aws exist due to the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. Vulnerability Detection Method Send the crafted SMB transaction request with ?d = 0 and check the response to con?rm the vulnerability. Details: Microsoft Windows SMB Server Multiple Vulnerabilities-Remote (4013389) OID:1.3.6.1.4.1.25623.1.0.810676 Version used: 2019-05-03T10:54:50+0000 References CVE: CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0147, ,?CVE-2017-0148 BID:96703, 96704, 96705, 96707, 96709, 96706 Other: URL:https://support.microsoft.com/en-in/kb/4013078 URL:https://technet.microsoft.com/library/security/MS17-010 URL:https://github.com/rapid7/metasploit-framework/pull/8167/files [ return to 192.168.1.10 ] 2.1.2 High general/tcp High (CVSS: 10.0) NVT: OS End Of Life Detection Product detection result cpe:/o:microsoft:windows_10:1507:cb:enterprise Detected by OS Detection Consolidation and Reporting (OID: 1.3.6.1.4.1.25623.1.0 . . . continues on next page . . . 2 RESULTS PER HOST 4 . . . continued from previous page . . . ,?.105937) Summary OS End Of Life Detection The Operating System on the remote host has reached the end of life and should not be used anymore. Vulnerability Detection Result The "Windows 10" Operating System on the remote host has reached the end of life ,?. CPE: cpe:/o:microsoft:windows_10:1507:cb:enterprise Installed version, build or SP: 1507cb EOL date: 2017-05-09 EOL info: https://support.microsoft.com/en-US/help/13853/windows-lifecy ,?cle-fact-sheet Solution Solution type: Mitigation Vulnerability Detection Method Details: OS End Of Life Detection OID:1.3.6.1.4.1.25623.1.0.103674 Version used: $Revision: 8927 $ Product Detection Result Product: Method: cpe:/o:microsoft:windows_10:1507:cb:enterprise OS Detection Consolidation and Reporting OID: 1.3.6.1.4.1.25623.1.0.105937) [ return to 192.168.1.10 ] 2.1.3 Medium 135/tcp Medium (CVSS: 5.0) NVT: DCE/RPC and MSRPC Services Enumeration Reporting Summary Distributed Computing Environment / Remote Procedure Calls (DCE/RPC) or MSRPC services running on the remote host can be enumerated by connecting on port 135 and doing the appropriate queries. Vulnerability Detection Result Here is the list of DCE/RPC or MSRPC services running on this host via the TCP p ,?rotocol: . . . continues on next page . . . 2 RESULTS PER HOST 5 . . . continued from previous page . . . Port: 49408/tcp UUID: d95afe70-a6d5-4259-822e-2c84da1ddb0d, version Endpoint: ncacn_ip_tcp:192.168.1.10[49408] Port: 49409/tcp UUID: 06bba54a-be05-49f9-b0a0-30f790261023, version Endpoint: ncacn_ip_tcp:192.168.1.10[49409] Annotation: Security Center UUID: 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version Endpoint: ncacn_ip_tcp:192.168.1.10[49409] Annotation: DHCP Client LRPC Endpoint UUID: 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6, version Endpoint: ncacn_ip_tcp:192.168.1.10[49409] Annotation: DHCPv6 Client LRPC Endpoint UUID: abfb6ca3-0c5e-4734-9285-0aee72fe8d1c, version Endpoint: ncacn_ip_tcp:192.168.1.10[49409] UUID: b3781086-6a54-489b-91c8-51d067172ab7, version Endpoint: ncacn_ip_tcp:192.168.1.10[49409] UUID: b37f900a-eae4-4304-a2ab-12bb668c0188, version Endpoint: ncacn_ip_tcp:192.168.1.10[49409] UUID: e7f76134-9ef5-4949-a2d6-3368cc0988f3, version Endpoint: ncacn_ip_tcp:192.168.1.10[49409] UUID: f6beaff7-1e19-4fbb-9f8f-b89e2018337c, version Endpoint: ncacn_ip_tcp:192.168.1.10[49409] Annotation: Event log TCPIP Port: 49410/tcp UUID: 0d3c7f20-1c8d-4654-a1b3-51563b298bda, version Endpoint: ncacn_ip_tcp:192.168.1.10[49410] Annotation: UserMgrCli UUID: 1a0d010f-1c33-432c-b0f5-8cf4e8053099, version Endpoint: ncacn_ip_tcp:192.168.1.10[49410] Annotation: IdSegSrv service UUID: 2e6035b2-e8f1-41a7-a044-656b439c4c34, version Endpoint: ncacn_ip_tcp:192.168.1.10[49410] Annotation: Proxy Manager provider server endpoint UUID: 3a9ef155-691d-4449-8d05-09ad57031823, version Endpoint: ncacn_ip_tcp:192.168.1.10[49410] UUID: 552d076a-cb29-4e44-8b6a-d15e59e2c0af, version Endpoint: ncacn_ip_tcp:192.168.1.10[49410] Annotation: IP Transition Configuration endpoint UUID: 86d35949-83c9-4044-b424-db363231fd0c, version Endpoint: ncacn_ip_tcp:192.168.1.10[49410] UUID: 98716d03-89ac-44c7-bb8c-285824e51c4a, version Endpoint: ncacn_ip_tcp:192.168.1.10[49410] Annotation: XactSrv service UUID: b18fbab6-56f8-4702-84e0-41053293a869, version Endpoint: ncacn_ip_tcp:192.168.1.10[49410] Annotation: UserMgrCli . . . continues on next page . . . 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 2 RESULTS PER HOST 6 . . . continued from previous page . . . UUID: c36be077-e14b-4fe9-8abc-e856ef4f048b, version 1 Endpoint: ncacn_ip_tcp:192.168.1.10[49410] Annotation: Proxy Manager client server endpoint UUID: c49a5a70-8a7f-4e70-ba16-1e8f1f193ef1, version 1 Endpoint: ncacn_ip_tcp:192.168.1.10[49410] Annotation: Adh APIs UUID: c9ac6db5-82b7-4e55-ae8a-e464ed7b4277, version 1 Endpoint: ncacn_ip_tcp:192.168.1.10[49410] Annotation: Impl friendly name Port: 49411/tcp UUID: 0b6edbfa-4a24-4fc6-8a23-942b1eca65d1, version 1 Endpoint: ncacn_ip_tcp:192.168.1.10[49411] UUID: 12345678-1234-abcd-ef00-0123456789ab, version 1 Endpoint: ncacn_ip_tcp:192.168.1.10[49411] Named pipe : spoolss Win32 service or process : spoolsv.exe Description : Spooler service UUID: 4a452661-8290-4b36-8fbe-7f4093a94978, version 1 Endpoint: ncacn_ip_tcp:192.168.1.10[49411] UUID: 76f03f96-cdfd-44fc-a22c-64950a001209, version 1 Endpoint: ncacn_ip_tcp:192.168.1.10[49411] UUID: ae33069b-a2a8-46ee-a235-ddfd339be281, version 1 Endpoint: ncacn_ip_tcp:192.168.1.10[49411] Port: 49412/tcp UUID: 367abb81-9844-35f1-ad32-98f038001003, version 2 Endpoint: ncacn_ip_tcp:192.168.1.10[49412] Port: 49413/tcp UUID: 12345778-1234-abcd-ef00-0123456789ac, version 1 Endpoint: ncacn_ip_tcp:192.168.1.10[49413] Named pipe : lsass Win32 service or process : lsass.exe Description : SAM access Note: DCE/RPC or MSRPC services running on this host locally were identified. Re ,?porting this list is not enabled by default due to the possible large size of ,?this list. See the script preferences to enable this reporting. Impact An attacker may use this fact to gain more knowledge about the remote host. Solution Solution type: Mitigation Filter incoming tra°c to this ports. Vulnerability Detection Method Details: DCE/RPC and MSRPC Services Enumeration Reporting OID:1.3.6.1.4.1.25623.1.0.10736 Version used: $Revision: 6319 $ 2 RESULTS PER HOST 7 [ return to 192.168.1.10 ] 2.1.4 Low general/tcp Low (CVSS: 2.6) NVT: TCP timestamps Summary The remote host implements TCP timestamps and therefore allows to compute the uptime. Vulnerability Detection Result It was detected that the host implements RFC1323. The following timestamps were retrieved with a delay of 1 seconds in-between: Packet 1: 470603 Packet 2: 471709 Impact A side e?ect of this feature is that the uptime of the remote host can sometimes be computed. Solution Solution type: To disable Mitigation TCP timestamps on linux add the line 'net.ipv4.tcp_timestamps = 0' to /etc/sysctl.conf. Execute 'sysctl -p' to apply the settings at runtime. To disable TCP timestamps on Windows execute 'netsh int tcp set global timestamps=disabled' Starting with Windows Server 2008 and Vista, the timestamp can not be completely disabled. The default behavior of the TCP/IP stack on this Systems is to not use the Timestamp options when initiating TCP connections, but use them if the TCP peer that is initiating communication includes them in their synchronize (SYN) segment. See the references for more information. A?ected Software/OS TCP/IPv4 implementations that implement RFC1323. Vulnerability Insight The remote host implements TCP timestamps, as de?ned by RFC1323. Vulnerability Detection Method Special IP packets are forged and sent with a little delay in between to the target IP. The responses are searched for a timestamps. If found, the timestamps are reported. Details: TCP timestamps OID:1.3.6.1.4.1.25623.1.0.80091 Version used: References $Revision: 14310 $ Other: URL:http://www.ietf.org/rfc/rfc1323.txt URL:http://www.microsoft.com/en-us/download/details.aspx?id=9152 2 RESULTS PER HOST 8 [ return to 192.168.1.10 ] This ?le was automatically generated. MEMO [date] [Your name and course number/section] [Opening Salutation]: Overview In this section, provide a brief overview to establish the purpose of your memorandum. You should introduce the topics in Parts 1, 2, and 3, below. Remember that you are writing to your immediate boss to help her address the CEO’s concerns over recent cybersecurity attacks against the transportation sector. Additionally, your boss has provided you with the results of a recent pen testing engagement performed by a third party on behalf of Mercury USA. Part 1: Vulnerability Management (VM) Process Recommendation In this section, present a recommended VM process for Mercury USA. Highlight the major VM process components as you learned in your studies. Explain how your recommendation meets the business needs of Mercury USA. Consider the transportation sector and the overall scenario in context. The text and questions below represent specifics to focus on while writing the memorandum. Do not include the specific text of the questions in your final submission. • • • • • • • What are the main elements of a VM process, tailored to Mercury USA and the transportation sector? How will you plan for and define the scope of a VM process? How will you identify the assets involved? How will you scan and assess vulnerabilities? What is/are the industry standard scanning tools? Support your findings. What frequency of scanning do you recommend and why? How will you report the results of scanning and recommended countermeasures? Part 2: Vulnerability Scanning Tool Evaluation and Recommendations After performing an analysis of the vulnerability report provided by the third-party penetration testers, present your evaluation of the tool and your recommendations here. The text and questions below represent the specifics to focus on while writing your memorandum. Do not include the specific text of the questions in your final submission. VULNERABILITY MANAGEMENT PROCESS MEMO | [Document subtitle] • • • • • • • • Identify the scanner used to produce the report. Is the tool open source or commercial? Do you consider the tool to be industry standard? What are some advantages to using the tool? Disadvantages? What is your overall impression of the tool’s output? Does the tool provide enough reporting detail for you as the analyst to focus on the correct vulnerabilities? Can you appropriately discern the most critical vulnerabilities? Do you think mitigations for the vulnerabilities are adequately covered in the report? Do you think the reports are suitable for management? Explain why or why not. Would you distribute the report automatically? Explain why or why not. Would you recommend that Mercury USA use the tool? Explain why or why not. Part 3: Business Case Example In this section, provide an example of what could happen if Mercury USA does not implement your recommendations for a VM process (e.g., data exfiltration, hacker intrusions, ransomware, etc.). The text and questions below represent the specifics to focus on while writing your memorandum. Do not include the specific text of the questions in your final submission. • • • What are some of the outcomes to the business if your example occurred? How does your recommended VM process address the example you used? For the tool you evaluated in Part 2 above, do you think the tool will be adequate? Why or why not? Closing In this section, summarize the main points of your argument for a VM process, tool evaluation, and use the case example to support your recommendations. Keep in mind that you are addressing the CEO’s concerns over recent cybersecurity attacks against the transportation sector and how you can help increase Mercury USA’s overall security posture to protect the organization against attacks, breaches, and data loss. Cybersecurity Threat Analyst Mercury USA References Use in-text citations in the body of your memorandum as appropriate. Add all sources you used here. This example citation uses IEEE style. Use a style of your choice or ask your instructor for VULNERABILITY MANAGEMENT PROCESS MEMO | [Document subtitle] clarification. When using the associated course content, ensure that you cite to the chapter level. [1] "Chapter 5: Implementing an Information Security Vulnerability Management Process", Pearson CompTIA Cybersecurity Analyst (CySA+), 2020. [Online]. Available: https://www.ucertify.com/. [Accessed: 28- Apr- 2020]. VULNERABILITY MANAGEMENT PROCESS MEMO | [Document subtitle] Purchase answer to see full attachment Tags: management process transportation sector scanning tool Mercury USA vulnerability process User generated content is uploaded by users for the purposes of learning and should be used following Studypool's honor code & terms of service.