Module 1: Course Project
This module provides the student with all the background information needed to complete the course project. For your course project, your task in module 1 is to read the material and familiarize yourself with the organization details.
At the end of this course, you will submit your course project for grading. In your course project presentation, you will address the following:
- Perform a vulnerability data analysis and identify the vulnerabilities most likely to be leveraged against the organization in a cyber-attack.
- Include an attack scenario based on vulnerability analysis.
- Quantify the potential financial impact using the FAIR ™ method.
- Provide a summary of your findings.
- Submit a list of recommendations.
Course Project Background Information
The CIO and CISO have asked you to draft an initial analysis quantifying their cybersecurity risk. They will be reviewing the annual budget with the CEO and other stakeholders and want this information to help in their decision-making process.
Company Name: ABC Accounting Services
ABC Accounting Firm is a full-service accounting firm that offers businesses and individuals a wide range of accounting, tax, and consulting services. With over 20 years of experience, our team of certified public accountants and tax professionals is dedicated to providing high-quality, personalized service to each of our clients.
Our services include bookkeeping, financial statement preparation, tax planning and preparation, business consulting, and more. We work with clients in various industries, including healthcare, real estate, construction, and professional services, among others.
At ABC Accounting Firm, we understand that every client is unique, so we take a personalized approach to each engagement. We work closely with our clients to understand their specific needs and goals and tailor our services to meet those needs. Our team is committed to providing timely, accurate, and reliable service to help our clients achieve their financial objectives.
We pride ourselves on our commitment to excellence, integrity, and professionalism. We are dedicated to staying up to date with the latest accounting and tax regulations to ensure our clients receive the most accurate and comprehensive advice possible.
Number of Employees: 50
Office Locations:
- New York City, NY – 25 users
- San Francisco, CA – 15 users
- Miami, FL – 10 users
New York City Office:
The New York City office is the main location for ABC Accounting Services, and it houses the main server for the entire network. The perimeter defense equipment in this office includes a Cisco firewall, a Cisco intrusion prevention system, and Symantec Endpoint Protection for antivirus and endpoint security. The office also has a backup server for disaster recovery purposes. The computers in this office run Windows 11 and use Microsoft Office 365 as their main set of applications, in addition to the custom accounting software.
San Francisco Office:
The San Francisco office is a satellite location for ABC Accounting Services, and it has a smaller network architecture compared to the New York City office. The perimeter defense equipment in this office includes a Fortinet firewall, a Fortinet intrusion prevention system, and McAfee Endpoint Protection for antivirus and endpoint security. The computers in this office also run Windows 11 and use Microsoft Office 365 as their main set of applications, in addition to the custom accounting software.
Miami Office:
The Miami office is another satellite location for ABC Accounting Services, and it has a similar network architecture to the San Francisco office. The perimeter defense equipment in this office includes a Cisco firewall, a Cisco intrusion prevention system, and Symantec Endpoint Protection for antivirus and endpoint security. The computers in this office also run Windows 11 and use Microsoft Office 365 as their main set of applications, in addition to the custom accounting software.
A development environment exists here to support the network team. Patches are tested here, and new configurations developed prior to deployment agency wide.
Office Application:
Microsoft Office 365
File Sharing:
Dropbox Business: Dropbox Business is a popular cloud storage and file-sharing platform that many accounting firms use. It provides a secure environment for sharing files and collaborating with clients and team members.
Collaboration:
- Microsoft Teams
- Zoom
Accounting Software:
- QuickBooks
- Sage Intacct
Interview Notes: Network Security
Interview Date: March 12, 2023
Person Interviewed: Mr. Barasha
Initial interview notes on security provided by Mr. Barasha:
Our perimeter defense is very comprehensive. We use the Cisco ASA firewall, a Cisco intrusion prevention system. Our internet provider provides excellent protection.
The Cisco ASA firewall integrates multiple full-featured, high-performance security services, including application-aware firewall, SSL and IPsec VPN, intrusion prevention system (IPS), antivirus, antispam, antiphishing, and web filtering services.
One of the key benefits of the Cisco ASA firewall is its ability to create a Virtual Private Network (VPN) tunnel between the corporate network and another device located on a different network. The VPN tunnel protects all the traffic flowing from external devices to the corporate network over the public internet.
Cisco Intrusion Prevention System (IPS) is a network security technology that monitors network traffic for malicious activity and takes action to prevent attacks. It is designed to provide real-time protection against various threats, including malware, viruses, and other types of malicious traffic.
We also leverage the security in Office 365. Some of the key security features and measures of Office 365 include:
Encryption: Office 365 uses encryption to protect user data in transit and at rest. Email messages, attachments, and other files are encrypted using industry-standard encryption protocols.
Multi-Factor Authentication: Office 365 supports multi-factor authentication, which requires users to provide two or more forms of identification before accessing their accounts. This helps prevent unauthorized access to user accounts.
Threat Intelligence: Office 365 uses advanced threat intelligence and machine learning algorithms to detect, and block known and unknown threats, including malware, viruses, phishing attacks, and other types of malicious activity.
Data Loss Prevention: Office 365 includes data loss prevention (DLP) features that help prevent the accidental or intentional disclosure of sensitive data. DLP policies can be customized to meet an organization’s specific needs.
Advanced Threat Protection: Office 365 Advanced Threat Protection (ATP) is a cloud-based email filtering service that provides additional protection against advanced threats, such as phishing and malware attacks.
Interview Questions and Answers:
- Do users have corporate-owned smartphones and devices?
- No, we have a Bring Your Own Device (BYOD) policy.
- Do you have data loss prevention capabilities?
- No, actually. It is possible in Office 365, but we are not scheduled to implement that until the first quarter of next year. There is no such capability for Box or even any of our collaboration platforms, Teams or Zoom.
- Is annual cybersecurity awareness training required?
- Well, technically, it is, but we do not track that. Human Resources was supposed to be responsible for that, but I am not aware they have gotten involved in that yet.
- Do you perform background checks on interns? I know that we have been hiring interns for the last three years.
- Well, that is expensive, and they are just interns, after all. No, we have never seen the need for background checks. Look, these young people are not very skilled, but it is good to have them working here in operations because it gives us a chance to see how they work and how much they know before we hire them. We have had five interns so far, and I have hired two of them.
- What type of network administration do these interns do?
- Well, mostly, they are interested in Cisco certifications, so they have access to that and the data backups.
- How many incidents has the firm experienced in the last 12 months?
- I wouldn’t say we’ve had any serious incidents. Our perimeter defense is quite good as is our end-point protection.
- Ok, then can you give me an estimate, from the log data, of how many times our perimeter defense and end-point protection has blocked malware or other attacks?
- Oh sure. I thought you might want to know how well they are working. Our internet provider blocks most things like denial-of-service attempts, but we do regularly see hundreds of attempts to breach our internet facing servers. Mostly they are malformed requests which our application firewall recognizes and blocks. Our exchange server is often a target of phishing and malware attachments which get stripped off. What makes it past those filters the end-point protection blocks on download. If I had to put numbers to it, I’d say we see 12 blocked malware attempts on workstations per month, that’s across all three offices. We probably get 200 blocked scans and malformed requests against each of our web servers per month.
- How long does it take to patch new vulnerabilities, on average?
- Oh, we get those done every month. We do have a few that are a bit tricky so those can take a bit longer. But out team does a really good job of patching the critical vulnerabilities right away I’d say.
Interview Notes: Finance and Legal Departments
Interview Date: March 20, 2022
People Interviewed: Ms. Kowalski (finance) and Mr. Kim (legal)
The primary purpose of this interview was to establish preliminary costs in the event of a cyber-attack.
Ms. Kowalski:
Let me first go on the record as having stated that these are merely estimates, and without more precise data, I cannot be expected to provide an accurate estimate. However, I understand that our CEO wishes me to give you some numbers to use in your analysis, so here is what I suggest you use:
Lost Productivity: Assuming an average salary of $50,000 per year, the cost of lost productivity for an employee over three days would be ($50,000/260 workdays per year) x 3 or $577. Just multiply that estimate by the number of affected employees.
Of course, you should adjust these numbers to reflect how many people might actually be affected. And, as I said, this is an average salary range. Certainly, not everyone earns this salary. Many of our executives earn substantially more than this, so if they were affected, your estimate would be much different.
Recovery and Remediation: The cost of recovering from a cyber-attack can be significant, including costs associated with investigating the attack, restoring data and systems, and implementing new security measures. A conservative estimate for recovery and remediation costs might be $50,000.
I have been provided this number after speaking with Mr. Barasha. So again, I caution you that the actual costs can vary wildly from this figure.
New Server: Depending on the extent of the attack, it may be necessary to replace servers that have been compromised. The cost of a new server can vary widely depending on the organization’s specific requirements, but a reasonable estimate might be $5,000.
New Laptops: If laptops have been compromised in the attack, it may be necessary to replace them. The cost of a new laptop can vary widely depending on the organization’s specific requirements, but a reasonable estimate might be $1,500 per laptop. Assuming five laptops need to be replaced, the total cost would be $7,500.
Adding up these costs gives a rough estimate of the total cost of a cyber-attack with a downtime of 3 days for an accounting firm with 50 employees:
$28,850 (Lost Productivity) + $50,000 (Recovery and Remediation) + $5,000 (New Server) + $7,500 (New Laptops) = $91,350.
Keep in mind that these are rough estimates, and the actual costs could be higher or lower depending on the specific circumstances of the attack. It is important for organizations to have a comprehensive cybersecurity plan in place to prevent attacks and minimize the impact of any successful attacks.
Mr. Kim:
Let me first go on the record as having stated that without details, it is nearly impossible to estimate secondary costs, which, as I understand, could include legal as the result of a lawsuit. Nevertheless, I understand our CEO wishes you to have some level of estimate, so this is what I can provide you with at this time.
The expected legal fees for a lawsuit against ABC Accounting Firm for negligence as a result of a cyber-attack in which highly sensitive client data was accessed and exposed can vary widely depending on several factors, including the severity of the breach, the complexity of the case, and the specific legal services required. Here are some factors that may impact the expected legal fees:
Severity of the Breach: The severity of the breach can impact the complexity of the case and the amount of legal work required. If highly sensitive client data was accessed and exposed, the case may be more complex and require more legal work to demonstrate the extent of the harm caused by the breach.
Scope of the Lawsuit: The lawsuit’s scope can also impact the expected legal fees. If the lawsuit is limited to a single client, the fees may be lower than if multiple clients are involved.
Legal Services Required: The legal services required for the case can also impact the expected legal fees. For example, if expert witnesses are required to testify about the impact of the breach on clients, this may increase the cost of the case.
Given these factors, it is difficult to provide a specific estimate for the expected legal fees for a lawsuit against ABC Accounting Firm for negligence due to a cyber-attack. However, the fees would likely be significant, potentially ranging from tens of thousands to hundreds of thousands of dollars, depending on the complexity of the case and the legal services required.
In addition, there are possible regulatory fines to consider. I will give you the following example:
The potential regulatory fines that ABC Accounting firm might face in the event of a serious cyber-attack and sensitive client data exposure can vary depending on the regulatory framework in which the firm operates. However, several examples of regulatory fines and penalties have been levied against companies in the past for similar incidents.
For example, in 2021, the Securities and Exchange Commission (SEC) sanctioned eight firms for failures in their cybersecurity policies and procedures that resulted in email account takeovers exposing the personal information of thousands of customers and clients at each firm. The fines ranged from $75,000 to $300,000 per firm https://www.sec.gov/news/press-release/2021-169