Luna Assignment 3.

6 Case Study CYB469-O 01

Clearly state all of the issues that need to be addressed at Luigi's. (How did the attack occur?)
(Please use bullets or numbers.)
- Employee brought in personal laptop
- Able to connect not authorized computer to internet
- Attacker being able to connect to the system and scan local network
- User leaving computer on during the weekend
- Not reporting that computer was suspiciously slow
- FTP Service that allowed for anonymous access
- Attacker was able to sensitive data without credentials
- Out of date list of known malicious sites
- Sensitive information on the server was not encrypted or secured

Which CIS Controls v8 could have helped to prevent the attack that is detailed in the case
study? (Please use bullets or numbers.) Why is the Control important? (Answer this for each
control listed in #2, 25 word minimum). Be thorough in your response.
- Control 01 Inventory and Control of Enterprise assets
o This is an important control because the company should have been able to
prevent sensitive document from getting stolen. The information stolen was left
out in the open for an attacker to simply take it. There was no measure of
security regarding that information. Likewise, they should have had a policy that
would restrict non-authorized computers from connecting to their network.
- Control 03 Data Protection
o This control would’ve helped Luigi Inc with their data management. The amount
of sensitive data that was taken was absurd and the information did not have
any security measures that prevented it from being accessed by anyone without
authorization. This control would help in making regulations for data protection,
and how data should be stored and encrypted if necessary.
- Control 05 Account Management
o This control would help in discerning what accounts have access to what
information. It would require that users provide credentials before being able to
access certain parts of the network to ensure it was really them. It would restrict
normal users from accessing sensitive information or information that does not
pertain to their job code.
- Control 06 Access Control Management
o Similar to control 05, however this control deal with what these accounts have
access to. This control ensures that users only have they need to do their jobs
and nothing more. Having a good policy to enforce this is important not just for
Luigi Inc but for many other organizations as it would have limited what
information the attacker had access to.
- Control 07 Continuous Vulnerability Management
o This control is perhaps in the top three controls that would have stopped this
attack from ever happening. If the company had this control in place and did
vulnerability management, they could have picked up that the FTP service was
Luna Assignment 3.6 Case Study CYB469-O 01

not secure and allowed for anonymous connection. Which could have been
removed or patched.
- Control 09 Email and Web Browser Protections
o This control was mainly for the browser portion of it. The attacker was able to
use a malicious website that was not on the list of malicious browsers and thus
was not blocked by the network. Had it been updated the attacker would have
had to result to another browser or different method to extract the data.
- Control 10 Malware Defense
o Having a good antivirus or other malware defense in place would help not only in
this case but in other situations. Being able to prevent viruses on a network is a
great way to protect a network as well as being able to detect these viruses as
they arise and deal with them accordingly.
- Control 12 Network Infrastructure Management
o This particular control was a bit of toss-up if I’m being honest. However ultimate
I decided that if the network infrastructure is up to date then it means that
everything is working in tangent with one another and secured. Ensure that the
network infrastructure is up to date means that everything patched accordingly,
everything is updated to the latest version and working smoothly.
- Control 13 Network Monitoring and Defense
o This control, if it was in place, would promote for constant monitoring and
having alerts in place for when an intruder is detected. Although the company
was able to identify the source of the attack, nothing could be done to stop the
attacker from stealing the information.
- Control 14 Security Awareness and Skills Training
o This one is a given since training is always beneficial. It should be obvious to
anyone that bringing a personal device that is not approved by the company and
using it for work is a security risk. If the employee had the proper training then
they too would have known this and not brough in their own computer for
working on it.
- Control 18 Penetration Testing
o I debated adding this control in because it was struggling to understand whether
it would have truly helped them find the FTP vulnerability that was exploited. I
concluded that if they had done a pentest on their external system they could
have found that vulnerability and exploited it in the same way as the attacker
did. Not only would they have found the FTP vulnerability they could also find a
slew of other vulnerabilities as well.

List the Safeguards for each of the Controls that are listed in question 2, that should have been
implemented to prevent the attack. (Please use bullets or numbers.) Why are the Safeguards
important? (Answer this for each safeguard listed in #3, 25 word minimum). Be thorough in
your response.

- Control 01 Inventory and Control of Enterprise assets

o 1.1 Establish and Maintain Detailed Enterprise Asset Inventory
Luna Assignment 3.6 Case Study CYB469-O 01

▪ This safeguard is necessary since it would help the company known what
is in their inventory and what assets are a top priority for protecting. It
ensures that their inventory is kept up-to-date and keep record of all
devices that have been allowed on the network. Inventory would include
assets connected the network physically, virtually, remotely, and even
those in the cloud.
o 1.2 Address Unauthorized Assets
▪ This safeguard could have prevented the attacked from the beginning. If
this had been in place the compromised computer would not have been
allowed to connect to the network. Thus thwarting the attackers plan.
o 1.3 Utilize an Active Discovery Tool
▪ Having this safeguard in place would help the organization keep track of
what devices are connecting to the network and know which have
authorization and which do not.
- Control 03 Data Protection
o 3.1 Establish and Maintain a Data Management Process
▪ Establishing a Data Management Process is crucial to any business. The
process would address how to deal with sensitive data, data owner, how
long the data can be stored for and how to protect data. The document
would need to get updated annually to keep current or when a significant
event happens.
o 3.2 Establish and Maintain a Data Inventory
▪ This safeguard will help in knowing how much information is being stored
and what way it would be best to store it. It would be based on the
company’s needs and how sensitive the information is to the company.
o 3.3 Configure Data Access Control Lists
▪ This is an incredibly crucial safeguard because it would help with limiting
what the users can access. It configures the controls to a need-to-know
basis, meaning the user can only access what they need to complete their
job. Nothing more, noting less.
o 3.4 Enforce Data Retention
▪ This safeguard is implemented to help with compliance and not storing
information pass their legal limit. Once information becomes obsolete or
reached its minimum or maximum legal retention period it should be
disposed of properly. It was now known what information was stolen
from Luigi Inc’s servers but if any information that was stolen met the
disposal requirements, it could have been prevented.
o 3.5 Security Dispose of Data
▪ This safeguard goes hand in hand with 3.4; once data reaches its
minimum or maximum retention period it should be securely disposed of.
This keeps personal information safe as well as sensitive company
information should be held onto indefinitely.
o 3.6 Encrypt Data on End-User Devices
Luna Assignment 3.6 Case Study CYB469-O 01

▪ Data that sored on end-user devices should be encrypted because most

of the time an attacker’s first point of attack would be an end-user
device. If the information on the device is already encrypted the attacker
would not be able to steal any information from it. This is incredibly
useful because the end-user could literally be anyone, including top
management and the CEO who has access to everything.
o 3.7 Establish and Maintain a Data Classification Scheme
▪ This safeguard is more so for organizing data. It would help in seeing
what data is more valuable and should be protected more. The company
would have to create a classification scheme such as; Not Important,
Important, Sensitive. Each classification would have different needs in
terms of security and protection.
o 3.10 Encrypt Sensitive Data in Transit
▪ If this safeguard had been in place, then the attacker would not have
been able to use any of the information stolen. The network would
immediately know that information is being moved and prepare to
encrypt the information. It would also help within the company as the
data would be secured during transit from one computer to another
computer locally and could potentially trust its integrity.
o 3.11 Encrypt Data at Rest
▪ All sensitive data should be always encrypted. Encrypting is another time
of protection that is needed on top of other types of security measures.
Even a user has access to the machine where the information is stored,
they will not have access to the plain-text version of the documents
- Control 05 Account Management
o 5.1 Establish and Maintain an Inventory of Accounts
▪ This safeguard is for creating a document of what accounts exist within
the network. It would hold information as to whose account it is, was
permission it has, what that person’s start date is and if they left when
they left and if the account is still active or not.
o 5.2 Use Unique Passwords
▪ One of the more important Safeguards is using unique passwords
because the harder the password is to guess the more time the attacker
must spend to crack into an account. Although the safeguard
distinguishes which accounts should use MFA I believe that all accounts
regardless of character count should have MFA implemented.
o 5.3 Disable Dormant Accounts
▪ Active dormant accounts are just asking to be used for an attack. If the
account is left active after a user has left it could be used as an access
point for an attack because its security has not been updated and if the
person who left is a disgruntled employee who wants to get back at the
company and their account remains active they could use it to do just
that.
o 5.4 Restrict Administrator Privileges to Dedicated Administrator Accounts
Luna Assignment 3.6 Case Study CYB469-O 01

▪ This safeguard is being put into place to help keep the admins safe when
browsing on the internet. Limiting them only to certain aspects and not
giving them free reign also though restrictive is extremely important for
security.
- Control 06 Access Control Management
o 6.1 Establish an Access Granting Process
▪ This safeguard would help in creating a process in which new users or
hires would get certain rights without needed to ask for them. Likewise, it
could also be used for when an employee receives a promotion, and the
new job code requires extra rights or different rights.
o 6.5 Require MFA for Administrative Access
▪ Since a lot of the information that was stolen should have been kept
protected and should require administrative credentials to get a hold of
we will be using this safeguard. This Safe not only requires credentials but
also another sort of credential to grant access to anything that requires
administrative access.
o 6.6 Establish and Maintain Inventory of Authentication and Authorization
Systems
▪ The company should have some sort of process that is able to keep track
of everything that requires authentication and authorization to access.
Inventory should be updated every time a new item that requires
authentication or authorization is added. Had this been added, it would
be clear for what information the attacker was gunning for and how they
would need to response to the attack.
- Control 07 Continuous Vulnerability Management
o 7.1 Establish and Maintain a Vulnerability Magnanimity Process
▪ Having this in place would help the IT Sec team accountable for ensuring
vulnerability management takes place. This process should often be
looked over and reviewed annually or when something important
happens.
o 7.3 Perform Automated Operating System Patch Management
▪ Create a process in which the OS will automatically update itself once a
month or more frequently depending on the environment. Doing this
ensures that the OS is kept to date and patches vulnerabilities not dealt
in a pervious patch.
o 7.5 Perform Automated Vulnerability Scans of Internal Enterprise Assets
▪ This would help in ensuring that no assets have present vulnerabilities or
that if they do, they are dealt with accordingly. This would ensure that
any vulnerabilities present are dealt with as soon as they are discovered
and do not have time to affect other assets. This process should take
place on a frequent basis and whenever another asset is introduced.
o 7.7 Remediate Detected Vulnerabilities
▪ Having this safeguard in place would potentially dealt with the vulnerable
FTP process and fixed it as soon as it found it. This safeguard would help
Luna Assignment 3.6 Case Study CYB469-O 01

in creating a process that would remediate these vulnerabilities through

software.
- Control 09 Email and Web Browser Protections
o 9.1 Ensure Use of Only Fully Supported Browsers and Email clients
▪ This safeguard would make it so that only browser and email clients that
are still receiving full support are able to operate on the network.
Anything else will be blocked.
o 9.3 Maintain and Enforce Network-Based URL Filters
▪ This type of filtering would have stopped the attack right in its tracks
since the network would have realized the malicious website was being
used and blocked access to it. All enterprise assets would have to abide
by these filters
o 9.4 Restrict Unnecessary or Unauthorized Browser and Email Clients
▪ This safeguard would be put into place to block or automatically uninstall
any browser or email client that was no approved or not needed by the
network.
- Control 10 Malware Defense
o 10.1 Deploy and Maintain Anti-Malware Software
▪ This safeguard would ensure that all of the company’s computers and
approved devices that are able to be have antivirus or other anti-malware
software on them have it installed properly.
- Control 12 Network Infrastructure Management
o 12.1 Ensure Network Infrastructure is Up-to-Date
▪ This safeguard will ensure that all software that is being used is running
the latest stable version and that it’s being reviewed at least monthly if
not more frequently for updates.
o 12.2 Establish and Maintain a Secure Network Architecture
▪ This safeguard encompasses other controls because it address
segmentation, least privileges as well as access controls along with other
security measures. Having a secure Network Architecture includes having
security measures that work in tangent with each other to have the best
possible security for your network.
- Control 13 Network Monitoring and Defense
o 13.2 Deploy a Host-Based Intrusion Detection Solution
▪ This safeguard would have the company install an intrusion detection
solution in assets that could support it and would be used to detect an
intrusion on the network. The intrusion that occurred in this case study
would be potentially picked up by this IDS.
o 13.9 Deploy Port-level Access Control
▪ This control would limit what ports are able to be accessed and by whom
they are able to be accessed by. This would severely limit the ports
attackers have to access the system if not completely lock them out.
- Control 14 Security Awareness and Skills Training
o 14.1 Establish and Maintain a Security Awareness Program
Luna Assignment 3.6 Case Study CYB469-O 01

▪ This safeguard encompasses all of the other safeguards for this control.
This safeguard would help in creating a program for all employees in
which they would be educated in how to best to interact with company
assets in the safest way possible. The program would say how often
employees need to be trained and updated based on new information as
it becomes available.
o 14.9 Conduct Role-Specific Security and Awareness Skills Training
▪ This a great safeguard since not all positions require the same security.
Higher positions will require the most training since they will be dealing
with more sensitive information and will need be educated properly on
what needs to be protected and how best to interact with their job
specific assets.
- Control 18 Penetration Testing
o 18.1 Establish and Maintain a Penetration Testing Program
▪ This safeguard is being put into a place to maintain accountability for
upkeeping of the pentest program. This would help the company
organize a pentest that is appropriate to their level and needs.
o 18.2 Perform Periodic External Penetration Tests
▪ This is perhaps the best way that the FTP vulnerability could have been
spotted. An External Pen Test focuses on vulnerabilities within internet
facing assets like the web, emails and of course FTP Servers. Having a
safeguard to help with performing these tests, it is reasonable to assume
that any internet facing assets with vulnerabilities would be dealt with
accordingly.