Vulnerability Management Presentation to Stakeholders

This week, you will make your PowerPoint presentation, making the case for your vulnerability management process and that the company to purchase the vulnerability management software, Nessus. With the current buzz about the ransomware attack on a rival company, key Mercury USA stakeholders are concerned that this type of attack could lead to a significant loss of revenue for the company as well as damage to the company’s reputation.

They are looking for your guidance and technical expertise to not only come up with a better way to protect their resource but also to make them feel confident that they can calm stockholders’ fears about any ransomware or cyberattacks. You need to provide the stakeholders with a presentation that relays the technical information in a way they can understand so they can make an informed decision about your vulnerability management process and your recommendation to purchase cybersecurity software.

The ransomware attack has made your company realize that cybersecurity cannot be an afterthought. The stakeholders are aware that if they don’t spend money on addressing issues now, a cyber incident might lead to a more costly bill in the future and could even threaten the very existence of the company.

Remember to be clear about what action you are recommending. Executive management will want to understand not only what you discovered, but also what you propose as a solution. The company’s leaders will want to know what decisions they need to make based on your findings. Give them the actionable information they need to decide.

• five to 10 slides maximum; limit bullets to no more than six per slide
• a reference slide with one to two quality sources

How Will My Work Be Evaluated?

As you progress in your cybersecurity career, you may find yourself making presentations to customers, client audiences, and management. By summarizing your results and recommendations to management in an effective presentation, you are demonstrating how you use your technical knowledge to convey your ideas to others in a professional setting. Your ability to express your recommendations to provide information for decision makers in a format that uses the right mix of technical detail in a business context is an important workplace and career skill.

The following evaluation criteria aligned to the competencies will be used to grade your assignment:

• 1.2.2: Employ a format, style, and tone appropriate to the audience, context, and goal.
• 1.3.3: Integrate appropriate credible sources to illustrate and validate ideas.
• 2.1.3: Explain the significance of the issue or problem.
• 12.3.2: Describe the implementation of controls.
• 12.8.1: Recognize the process to obtain approval from the business process owner.
• 13.2.1: Evaluate vendor recommendations in the context of organization requirements.

If you haven’t already downloaded it last week, download the

Presentation to Management Template

 now and follow the instructions in the document.

Remember to delete the instructional text from the template before you submit.

MEMO

February 2, 2021

April Taylor-Melton\CMIT 421

Greetings:

 

Overview

Vulnerability management is the practice of identifying, prioritizing, classifying, mitigating, and remediating software vulnerabilities. It is essential to identify the vulnerabilities in businesses systems and software and come up with effective mitigating strategies to reduce the risk of cyberattacks. In this case, a vulnerability management process for Mercury USA, will be provided. It will indicate the measures taken to reduce the risks of cyber threats and attacks. The vulnerability assessment software used in this case to provide the vulnerability report will be analyzed. That will help to identify whether it is effective. Recommendations on whether the company should use it will be given. Lastly, a business case example will be given. The business case example will identify the risks and threats that might occur if the business does not implement vulnerability assessment. 

Part 1: Vulnerability Management (VM) Process Recommendation 

Security vulnerabilities are the weaknesses that allow attackers to compromise a product or the information held. Thus, it raises the essence of vulnerability management. It is the process through which security vulnerabilities are identifying, evaluated, treated and reported. The vulnerability management process is divided into four processes. The processes are identifying the vulnerabilities, evaluating the vulnerabilities, treating the vulnerabilities, and reporting the vulnerabilities (Aleksic et al., 2017). Since Mercury USA is in the transport sector, the vulnerability management process is significant. It will enable the systems that the the company uses to be secure. It will also ensure that the company is secure as it carries on its transportation business. 

The vulnerability management system’s scope will involve the company’s software systems and vessels of transport. That is because they will all be covered by the vulnerability management process. To plan the vulnerability management, the vulnerability management process’s scope must first be identified. Thus, all the systems, software and vessels of transport used by the company must be involved in its vulnerability management plan. 

To identify the assets involved, an audit will be conducted on the company. That will help determine all the software, systems, and the vessels of transport that may be included in the vulnerability management process. Additionally, the audit will identify other significant assets in the company that might be involved in the vulnerability management test. 

The Open Vulnerability Assessment Scanner will be used to scan and assess the vulnerabilities. It is a software framework of several tools and services that offer vulnerability scanning and vulnerability management. It is a free software that has a high level of effectiveness. Thus, it will be used by the company to assess its vulnerabilities. The transport industry requires that the vulnerability tools to assess the vulnerabilities are approved scanning vendors. That minimizes the risks of using ineffective vulnerability assessment tools. The vulnerability assessment tools that are used should be licensed. In this case, the Open Vulnerability Assessment Scanner is licensed under the general public license. It is written in Nexus Attack Scripting Language, making it very effective. 

The desired frequency of scanning would be once monthly. That will ensure that there is regular vulnerability scanning in the company. Since the Open Vulnerability Assessment Scanner software is free, the company will not incur many expenses to assess the vulnerabilities. Thus, it is essential to assess the vulnerabilities frequently to avoid any cyber-attacks or threats that might occur due to unknown vulnerabilities. 

The report of the vulnerability scanning will be reported to the required authorities. They will be detailed to indicate any vulnerabilities that have been identified. It will also indicate the risks that the vulnerabilities expose the business to. Moreover, effective mitigation strategies will be identified.  

Part 2: Vulnerability Scanning Tool Evaluation and Recommendations

The tool used to scan the company and produce the report is Open Vulnerability Assessment Scanner. The software is open-source software that offers vulnerability scanning and vulnerability management. It is a free software and it is licensed under the general public license indicating that it meets the industry standards. It is written in the Nessus Attack Scripting Language. 

The OpenVAS software provided a comprehensive vulnerability assessment report. That indicates that the system may be used to effectively find the company’s vulnerabilities (Rahalkar, 2019). One of the disadvantages that may arise is compatibility issues. Since it is an open-source software, it needs specialized drivers to be installed into its system. The overall impression about the software is that it is an effective software that may be utilized by the company. It identifies the vulnerabilities and indicates how the vulnerabilities may be used against the company by attackers. Thus, it will enable the analysts to correct the vulnerabilities. It can also be used to discern the most critical vulnerabilities since it also indicates the risks that result from the vulnerabilities. The report adequately covers the mitigation for the vulnerabilities. It indicates what should be done and how it should be done. 

The report’s qualities make it effective to be used by the management. That is because it is a detailed report and it gives effective mitigation strategies. Thus, Mercury USA should use the tool to assess its vulnerabilities in the future. 

Part 3: Business Case Example
 

If the recommendation is not implemented, the company may be exploited by remote attackers, thus leading to information disclosure from the server. To avoid that, the company should install the vendor’s released updates to avoid such risks from occurring. OpenVAS would be adequate to identify such a vulnerability and identify the effective mitigation strategies that should be implemented.  

Closing
 

The vulnerability management process should be carried out to identify the vulnerabilities so that effective strategies may be formulated to reduce the threats and risks that are exposed to the company. The OpenVAS software is an effective software to be used in vulnerability assessment by the company. That is because it provides a comprehensive report that includes the vulnerabilities identified, the risks they expose the business to, and the mitigation strategies that may be used. Considering that lack of implementing a vulnerability assessment software may lead to data loss and cyber attacks, the OpenVAS software should be implemented to identify the company’s vulnerabilities.

Yours Sincerely.

April Taylor-Melton
Cybersecurity Threat Analyst

Mercury USA

References

Aleksic, A., Puskaric, H., Tadic, D., & Stefanovic, M. (2017). Project management issues: vulnerability management assessment. Kybernetes.

“Chapter 5: Implementing an Information Security Vulnerability Management Process”, Pearson CompTIA Cybersecurity Analyst (CySA+), 2020. [Online]. Available: https://www.ucertify.com/. [Accessed: 28- Apr- 2020].

Rahalkar, S. (2019). OpenVAS. In Quick Start Guide to Penetration Testing (pp. 47-71). Apress, Berkeley, CA.

1

VM Scanner Background Report

April Taylor-Melton

CMIT 421 4520

21 Feb 2021

Introduction

Vulnerability management is significant for businesses. When a business experiences a cyber-attack, it risks losing customer trust and loyalty and incurring expensive litigation processes and government fines. Therefore, it is essential to prevent such occurrences in a business (Goel & Mehtre, 2015). In this paper, an assessment of Mercury USA will be conducted. The company used the Nessus vulnerability scanner to identify the vulnerabilities in the company. After the scan was completed, Mercury USA was issued the report indicating the vulnerabilities that it faces. In this paper, the analysis of the Nessus vulnerability report will be conducted. That will identify all the vulnerabilities that are identified in the report and their implications in the business. Effective mitigation strategies will also be discussed to come up with a plan that may be used to prevent the vulnerabilities from being exploited by the cyber attackers. That will safeguard the company’s operations and data from cyber threats and cyber-attacks. When giving the recommendations, the business case will be considered. That entails what the CEO of Mercury USA requires to be done. It will also ensure that the mitigation strategies that have been given align with the company’s operations. Moreover, a recommendation on whether to purchase the Nessus vulnerability scanner will be given.

Part 1: Nessus Vulnerability Report Analysis

The Nessus vulnerability report should be sent to the management of Mercury USA so that they may see the vulnerabilities that were identified by the Nessus vulnerability scanner. However, the management of the company will not easily understand the report. Since it would be time-consuming for the IT manager to explain everything to the management of the company, it is integral to attach meaning before sending the report to the management. Explaining the report will make it easier for the company’s management to understand the Nessus vulnerability report. It will also let them understand the implications of the vulnerabilities that have been identified.

The tool’s output was effective. The Nessus vulnerability report covers all the workstations and servers at Mercury USA. That shows that the report is relevant to the company. It shows the information that the company was seeking. Although the report does not explain the issues identified, it is effective as it identifies all the vulnerabilities in the company’s system. The report is well organized and easy to interpret. It provides the four hosts executive summary at Mercury USA. The report arranges the issues that have been identified in five categories. The categories are critical, high, medium, low, and information. In this case, the vulnerabilities are represented by critical, high, medium, and low with critical being the most serious vulnerabilities and low being the less serious vulnerabilities.

The tool provides enough information for me as an analyst to use. As indicated above, the vulnerabilities are arranged in accordance with their seriousness and the threat that they pose to the company. That makes it easy to identify the most critical vulnerabilities in the business. Therefore, the most serious vulnerabilities in the business should be tackled before addressing the less serious vulnerabilities in the business. Therefore, the Nessus vulnerability report will be used to effectively identify all the vulnerabilities in the company based on their seriousness and the threat that they pose.

From the Nessus vulnerability report, the three most important vulnerabilities in the company’s system can be identified. The vulnerabilities are the most critical as they may lead to other vulnerabilities occurring in the company’s systems. Thus, when corrected, more vulnerabilities will be prevented from occurring. However, that does not indicate that the other vulnerabilities should not be dealt with. Due to the nature of seriousness and critical nature of some vulnerabilities, they have to be dealt with first.

The first important vulnerability that has been identified is “Unix operating system unsupported version detection.” That indicates that Unix operating system that is used by the company’s 192.168.1.30 host is no longer supported. The version of the Unix operating system runs on the remote host in the company. The lack of support indicates that there will be no more security patches that will be produced for the operating system. Thus, the operating system is likely to have security vulnerabilities. That poses a serious threat to the company as the security vulnerabilities may be exploited by cyber attackers. Therefore, the company should upgrade to a version of the Unix operating system that is supported.

The second important vulnerability is “Bind Shell Backdoor Detection.” That indicates that the remote host of the company may be compromised. If it is not compromised, it indicates that there are higher chances that it could be compromised. The vulnerability indicates that the shell listens to the remote port without the requirement of authentication (Tenable, n.d.). That may be exploited by an attacker and they may send the commands directly thus accessing the company’s system. The company should verify whether the remote host is compromised and then re-install the system to ensure that it is safe.

The third important vulnerability is a security update for the Microsoft Windows SMB server. The company has an available security update that it has not installed. That may pose a threat to the company as the security vulnerabilities may be exploited by attackers. Therefore, the company should update its Microsoft Windows SMB.

As indicated above, the report provides enough information to address and remediate the three most important vulnerabilities. Although the report does not indicate the solutions directly, they may be formulated by understanding the vulnerabilities and what they entail.

Part 2: Business Case

Although the company faces several critical vulnerabilities, it is in a better position. That is because the vulnerabilities that have been identified can be easily corrected. Additionally, they may not be used directly by attackers to attack the company. But if not corrected, they may lead to attacks that may lead to loss or expose of business-critical information and customers’ information. That is evident as most of the vulnerabilities require updates that have not been done. That considered, the company should always update its systems when updates are made available. That will ensure that the vulnerabilities in the company are minimized and the security is heightened.

Based on the vulnerabilities that have been identified in the Nessus vulnerability report, some vulnerabilities may lead to adversary threats that might lead to exfiltration of the company’s data or ransomware being used against a company. A black hat hacker might try to use the remote hosts to access the company. Several critical vulnerabilities have been identified in the remote hosts operating systems. The vulnerabilities would enable a black hat hacker to access the company without being noticed. For instance, a black hacker may use a bind shell that does not require authentication to access the company’s data. Additionally, SMB signing is not required, and it shares unprivileged access. That would be used by attackers to hold the company’s data for ransom or exfiltrate the company’s data. That indicates that the company should come up with mitigation strategies and implement them as soon as possible.

Part 3: Nessus Purchase Recommendation

The overall features of the Nessus vulnerability report are adequate for technical professionals. The report identified the vulnerabilities that have been identified in a company’s systems and categorizes them in the order of their seriousness in a company. Technical professionals would use such data as it simplifies their work of identifying the vulnerability and determining its seriousness. The Nessus report is understandable by the management. However, the members of the management team that do not have knowledge of IT processes should be explained to understand what the vulnerabilities entail. That is because the report s written in IT terms.

Nessus vulnerability professional costs depend on the period that a company buys to use the tool. It is available for sale for periods of one year, two years, and three years. The cost for a year is $3.458, the cost of two years is $6765, and the cost of three years is $8621. The tool may come in a standard format or an advanced format with an extra cost (Tenable, 2020). The cost of the tool is fair as it warrants its support, efficacy, and usability. Nessus vulnerability assessment tool may help Mercury USA comply with the regulatory and standards by enabling the company to identify its vulnerabilities and coming up with mitigation strategies. That will ensure that the company develops strong security for its systems. Therefore, I would recommend the Nessus vulnerability assessment tool for Mercury USA. It would be effective for the business and it will help in reducing its vulnerabilities.

Conclusion

According to the Nessus vulnerability report, the company has several vulnerabilities. Most of the vulnerabilities are present as a result of the company not updating its systems. Such vulnerabilities may be exploited by attackers to access the company’s critical business data and the customers’ data. That may result in loss of customer trust and incurring a lot of costs in the litigation processes and government fines. Nessus vulnerability assessment tool is easy to use and effective for a business. Thus, Mercury USA should buy the assessment tool. It will enable them to deal with the vulnerabilities that they face thus, heightening the security of the company. Purchasing the Nessus vulnerability assessment tool is effective to the organization, employees, and management as it will ensure that the employees work effectively with assured security in the systems. It will also enable the managers to come up with effective mitigation strategies and security policies thus protecting the company from cyber threats and attacks.

References

Goel, J. N., & Mehtre, B. M. (2015). Vulnerability assessment & penetration testing as a cyber defence technology. Procedia Computer Science, 57, 710-715.

Tenable. (2020, July 13). Nessus professional. Tenable®. https://www.tenable.com/products/nessus/nessus-professional

Tenable. (n.d.). Bind shell Backdoor detection. Tenable® – The Cyber Exposure Company. https://www.tenable.com/plugins/nessus/51988