1

ACME Company Threat Assessment

[By]

Student Name

Institution

Course

Professor

Date
 2

A threat has happened recently or has been identified and poses a risk to the program or

the organization as a whole. Additionally, some systems encourage daily threat assessments so

that users can always be ready for anything. A Threat Assessment is an investigation into any

identified threats' veracity and potential impact. Security risk management often conducts a

threat assessment before making measures to mitigate dangers to the business. Identifying and

evaluating potential hazards is the first step in the threat assessment process. The next step is to

assess the issue's critical and devise a strategy to fix the underlying weakness (perhaps by sink

holing or redirecting it) finally, a follow-up evaluation and preventative measures. Predatory

threats, also known as offensive or targeted threats, are the most common subjects of threat

assessments.

vulnerabilities in the Risk domain of people

Weak, stolen credentials

It is common for people to reuse weak passwords across multiple accounts. If users

reuse the same passwords and user IDs, hackers will have more access points to exploit.

Usually, brute force assaults occur when a threat actor tries to gain unauthorized access to data

and systems by systematically trying as many users and presumed passwords as feasible. If the

actor is successful, they can acquire access to the design and assume the identity of a legitimate

user, giving them time to steal data, plant backdoors, learn more about the procedure for use in

future assaults, and perform other malicious actions. In the business world, the risk of a

hacking attack on networked resources increases when employees choose easier and weaker

passwords. When an employee's credentials are stolen from other sites, and those credentials
 3

have the same password that grants them access to your privileged networks, the hackers can

essentially stroll in, masquerading as the user.

Broken Authentication

Authentication failure generally results from improperly deployed session management

features (ALAHMAD et al., 2022). By bypassing standard authentication procedures, an

attacker can gain access to a system with the same permissions as the targeted user. When an

attacker has access to enough sensitive information about a user, such as their password, key,

or session token, to impersonate that user, the authentication system has been "broken."

vulnerabilities in the risk domain of process

Missing Function Level Access Control

There is a security hole at the function level if there are insufficient permission checks

for handling sensitive requests. A common security flaw lets malevolent users access restricted

resources by elevating their permissions to the function level. When an attacker gains

administrative access, they often do so by altering a parameter of a privileged function and

sending corrupt requests. Obtaining access to APIs is the first step in a function-level

authorization attack that fails (APIs). By posing as a legitimate user or phishing for credentials,

a malicious person acquires access to the program and then scans it for vulnerabilities (Roy et

al., 2018). Examples of these include allowing direct access to resources and allowing the user

interface to display protected information. Intruders can use these flaws to obtain private data

and elevate their privileges within the program.

Security Misconfigurations

Failure to specify, implement, and maintain default values for security settings leads to

security misconfigurations. If this happens, the system is likely not set up to meet the security

standards established by the industry (such as the CIS benchmarks, OWASP Top 10, etc.) that

are essential for keeping the system safe and minimizing the risk to the organization. When a

system or database administrator or developer fails to correctly configure the security

framework of an application, website, desktop, or server, it leaves dangerous open routes for

hackers.

vulnerabilities in the risk domain of technology

Software bugs

A bug is a design fault in computer software or hardware that hackers could use to gain

unauthorized access (Sadeghi et al., 2021). These security flaws open the door to attacks on

multiple fronts, putting at risk the identities of users and their access privileges, the privacy of

sensitive information, and the integrity of stored files.

Unpatched software

Unpatched software is one that still has a bug in it that could compromise user data.

When a security flaw has been discovered but not yet patched, it is said to be "unpatched."

Attackers can exploit this vulnerability by executing malicious code (Yeboah-Ofori, 2020).

Adversarial Mindset
 5

Adversarial mindset when assessing vulnerabilities in the risk domain of people

Communication and visibility

ACME Company security's primary objective is to conduct reconnaissance. Scanning a

company's publicly accessible systems can tell hackers a lot about the organization's internal

network and any weaknesses it may have. After breaking into a system, the first thing a hacker

does is set up a permanent link so that they can keep monitoring the system. As a result, a

security team at ACME Company prioritizes preventing hackers from exchanging information

with internal systems. Keeping in constant contact with infected devices is crucial for botnets

and crypto-jacking malware, which use their processing power for DDoS attacks and

cryptocurrency mining, respectively. ACME Company plans to increase its defenses

significantly against these threats by regularly implementing Monitoring and deploying

security fixes to the systems.

Adversarial mindset when assessing vulnerabilities in the risk domain of process

Implement elite training

ACME Corporation employs military-minded "train, train, train" strategies against

plausible foes. ACME will expose security teams to actual scenarios that can happen during an

assault on the corporation, hence enhancing their ability to fend off any attacks from hackers,

regardless of their expertise level. To gain insight, ACME will allow its IT teams to take on the

roles of attackers used by ACME Company in conjunction with a layered attack simulation to

evaluate the resilience of the company's people, networks, applications, and physical security

controls.
 6

Adversarial mindset when assessing vulnerabilities in the risk domain of technology

Broadening existing platforms of multilateral engagement

When it comes to the application of current international law or political norms to state

uses of particular technologies, ACME Company provides clarity on how a wide range of

parties (not just governments) might contribute responsibly to multilateral bodies' efforts in this

area. Information and communications technology (ICT), machine learning, autonomous

weaponry, biotechnology, and space technology are all examples of topics that have their own

dedicated working groups on these platforms, along with issues of international security.

Infrastructure Diagram

Organizational Protection

People

Implement a pen test to prevent weakly, stolen credentials

ACME Company implements Penetration testing to evaluate a system or network with

various malicious approaches to find security flaws in the application. This method tests the

vulnerable parts of a system via a controlled mock assault. This evaluation aims to protect

sensitive information from intruders like hackers. When a security hole is found in a system, it

is exploited to steal data.

Implement multifactor authentication to mitigate broken authentication

Multifactor authentication is one of the primary methods ACME Company utilizes to

stop attacks like brute force, credential stuffing, and password spraying (MFA). Attackers

would need both compromised credentials and the second-factor device to access an account

protected by multifactor authentication. With MFA in place, it would take an extremely long

time and effort to compromise the account, making it impractical for a large-scale attack.

Process

Role-based access control to mitigate missing function level access control

ACME Company implemented Role-based access control (RBAC) to limit users'

network access depending on their assigned function in the company. Access permissions for

users on the network are categorized into "roles" in RBAC. Workers have access to only the

data they need to do their jobs properly. Authority, responsibility, and demonstrated skill in the

relevant field all play a role in determining who has access. Additionally, users are only able to

perform specific actions on the system, such as viewing, creating, or modifying files.

Encrypting data to prevent security misconfiguration

ACME Company supplies Encryption of storage media, correspondence, and data is all

possible with the help of data protection solutions. The Encryption, device, email, and data

control features will be included. When data leaves the company's control, it is still encrypted

automatically to prevent unauthorized access or disclosure. The best data loss prevention

solutions enable employees to keep using email for business and collaboration while

automatically labeling, classifying, and encrypting critical information.

Technology

Test drive development to control software bugs

ACME Company implements Test-driven development (TDD), a novel approach to

software development. It considers testing an ongoing activity that should be done in tandem

with code creation. In TDD, the developer creates unit tests to guarantee that the code

continues to function as expected. The method is more of a manner of doing things than a set

of tools.

Code scanners to solve unpatched software.

Code scanners are put in place to ensure that all open-source parts of the software

project are examined. This is done by examining the software's code repositories, package

managers, and build tools. It lists all the open-source resources used in a project and their

dependencies (open source bill of materials). It records the necessary metadata, such as the

project's place of origin, license type, and version number. Like many other technologies used

in network administration, a vulnerability scanner can be put to good and bad ends. The system

administrator, programmer, security researcher, penetration tester, or black hat hacker may find
 9

this helpful. You can use it to find vulnerabilities in your network and patch them, or you can

use it to find exploits to break into other networks.

Discuss how to balance the implementation of controls between simple fixes and

organizational concerns.

Our research has shown that a management system based on the balanced scorecard

framework is the most effective means of harmonizing security strategy and organizational

framework. ACME Company unit performance will be driven by the framework's tools, which

will be used by managers at all levels of the company, from regional sales managers to group

CEOs. With the help of strategy maps, managers can articulate the chain of events to realize

the unit's value proposition. The scorecard can put that plan into action and track its progress

effectively. Therefore, a balanced scorecard-based system will serve as both a guide and a

common language for collecting and sharing data on the safety of the business.
 10

Reference

ALAHMAD, M., ALKANDARI, A., & ALAWADHI, N. (2022). SURVEY OF BROKEN

AUTHENTICATION AND SESSION MANAGEMENT OF WEB APPLICATION

VULNERABILITY ATTACK. Journal of Engineering Science and Technology, 17(2),

0874-0882.

Roy, S., Das, A. K., Chatterjee, S., Kumar, N., Chattopadhyay, S., & Rodrigues, J. J. (2018).

Provably secure fine-grained data access control over multiple cloud servers in mobile

cloud computing-based healthcare applications. IEEE Transactions on Industrial

Informatics, 15(1), 457-468.

Sadeghi, A. R., Rajendran, J., & Kande, R. (2021, June). Organizing The World's Largest

Hardware Security Competition: Challenges, Opportunities, and Lessons Learned. In

Proceedings of 2021 on Great Lakes Symposium on VLSI (pp. 95-100).

Yeboah-Ofori, A. (2020). Software reliability and quality assurance challenges in cyber-

physical systems security. International Journal of Computer Science and Security

(IJCSS), 14(3), 115-130.