Attacks to Bank Information System and the CIS Critical Security Controls
Instructions
• You should complete this assignment independently. You can use books, articles, and Internet materials that you can find. No collaboration is allowed.
• Write your answer concisely. Pay attention to the specific page limit if there is one for an exercise.
• Only typed or electronic reports are allowed for homework submission.
• Submit it through the given link at Canvas as a PDF file. Verify that the submission is successful.
Exercise 1: (10pts) Risk Assessment (Limit: two pages) There are two types of attacks (threats) to a bank information system. One is a stack-based overflow attack due to violable prohibitions in software. This attack can cause information leaking and lead to fraud. The other is a Denial of Service attack due to limited network bandwidth. This attack can make the service unavailable and also has the potential to aid IP spoofing. The assets we are analyzing are the availability, confidentiality, and integrity security services of this system. You are asked to do a brief risk assessment for this bank that follows the steps in our lecture. Assign real number values and clearly state assumptions based on the information given above.
Exercise 2: (30pts) (Limit: three pages) Study CIS Critical Security Controls. Currently, it is version 8 with some significant changes from previous versions. The so-called safeguards and further descriptions are helpful in forming your solution. Answer the following questions (also related to Operations Security) with necessary explanations. (1) Map these security controls to the categories of preventative, detective, corrective/recovery, and deterrent controls. Note that there can be more than one category that one security control falls in for the different safeguards and tools being applied. A table will be helpful. (2) List the security controls that follow the principle of least privilege and those that follow the principle of separation of duties, if any
Information Security Risk Assessment
Author’s Name
Institutional Affiliation
Course Code and Name
Professor’s Name
Date
Information Security Risk Assessment
Exercise 1
Stack-Based Overflow Attack
A stack-based overflow attack is an information system threat that occurs due to violable prohibitions in software. Specifically, this attack can cause information leaking, which leads to fraud. A stack-based overflow attack is an error that affects buffer overflow, which occurs when a specific computer program is trying to use more memory space than the one already allocated to the stack. In a bank information system, a stack-based overflow attack is a common type of vulnerability. A buffer overflow takes place when a specific program overruns the allocated memory space while writing the data to a buffer such that overwrites go to the adjacent memory locations (Nicula & Zota, 2019). In the scenario at hand, it is critical to assess the risk for the bank information system to promote safety from the stack-based overflow attack. The three primary assets that will be analyzed in this brief risk assessment for the bank information system include confidentiality, integrity security, and availability. On a scale of 1 to 5, 5 being the highest risk and 1 being the lowest risk, the real number values of availability, integrity security, and confidentiality are 5, 4, and 5, respectively. When a stack-based overflow attack occurs, numerous resources of the bank information system are unavailable. In other words, the system becomes in responding to users’ requests. Moreover, violable prohibitions pose confidentiality issues, particularly if cyber-attackers obtain the stored data in the bank information system. The integrity of security is affected since the data stored in the bank’s databases becomes more vulnerable to attack. The two primary impacts of a stack-based overflow attack are fraud and leaking data. As such, this type of attack exposes the bank information system to attacks.
Denial of Service (DoS)
Another significant type of bank information system attack is the denial of service (DoS) that happens due to limited