Week 2 Topic 1: What are Advanced Persistent Threats

Please write a response to each of my classmates responses below. Please make each answer half of a page and one source for each. Thank you.
Week 2 Topic 1 - Yun / Question: What are Advanced Persistent Threats
Answer:
1. Advanced Persistent Threats (APTs) are prolonged cyberattacks targeted against commercial companies and government entities by foreign government or non-state actors (Univeristy of Maryland University College, 2019). The elements carrying out the cyber-attacks are well resourced with means to initiate and sustain cyberattacks over an extended period of time. The purpose of these cyberattacks is to monitor network activities or to extract sensitive information from the targeted network. APT groups use advanced cyber-attack methods such as zero-day exploitation, social engineering, and spear phishing are among the most used methods in cyber-attacks against high value targets. The process of a cyber-attack by an APT group consists of reconnaissance of the target network, gaining accessing to target network, additional reconnaissance with new access, gaining higher access, conducting the cyber-attack, extracting information, staying hidden until discovery by the system administrators (Rouse, 2018).
APT groups present a danger to traditional cybersecurity principle of defense in depth. This principle focuses on posturing defense measures in layers to provide protection to data and information. Even though there are multiple layers of defense measures, defense in depth is static in nature and does not include defensive features necessary to prevent an APT cyber-attack (FireEye, Inc., 2019). A sophisticated APT cyber-attack may attempt to gain access to a target network via zero day exploits in applications, user access of planned malicious software, or vulnerabilities in network configuration.
Various government entities aim to identify mitigation strategies to combat advanced cyber-attacks. The Department of Defense (DoD) developed a risk management framework and issued DoD Instruction 8510.01 to implement the framework across the DoD enterprise for all information technology activities that involve DoD information. Additionally, the December 2012, “National Strategy for Information Sharing and Safeguarding”, provides direction to the Federal Government for sharing of information and risk management. This allows the Federal agencies to share information on APT cyber-attacks and minimize the same attack affecting multiple federal entities. The Presidential Policy Directive 41 further expands the sharing of information from only the federal government to private sector entities. This directive permits sharing of government information to the private sector, which may strengthen the defense of commercial networks against potential APT cyber-attacks (Univeristy of Maryland University College, 2019).
Week 2 Topic 4 - Porter / Question: A. What is the purpose of a vulnerability assessment?
B. Describe the key steps and common elements of vulnerability assessments and how often these assessments should take place.
Answer:
1. NIST defines a vulnerability assessment as “Systematic examination of an information system or product to determine the adequacy of security and privacy measures, identify security and privacy deficiencies, provide data from which to predict the effectiveness of proposed security and privacy measures, and confirm the adequacy of such measures after implementation.” (NIST, 2014.) I like this NIST definition because it includes examination of privacy aspects to ensure that the examined information system does not inadvertently disclose private information, in addition to being secure.
So given that “canonical” definition, let’s examine it closely. “Systematic examination” implies that the examination method is rigorous and repeatable, and is conducted in accordance with standards or specifications. “Identify … deficiencies” is a critical part of vulnerability assessment, and means that there is probably some written output that describes how the examined information system or product deviates from the standard. “Predict…effectiveness as well as “confirm…adequacy” implies that the examination is run more than once, perhaps regularly, and that the information system is examined BEFORE anything is fixed, and then again after it is adjusted or fixed to ensure that the vulnerabilities found initially have been remedied. (Alsaleh & Al-Saer, 2014.)
Vulnerability assessments are one of the key components of a comprehensive vulnerability program. Overall a vulnerability program needs to be able to identify which information systems are “in scope” (that need to have their vulnerabilities managed.) These systems then need to be assessed to determine what vulnerabilities they have. Then these systems should be remediated or mitigated (often by having patches applied, weak code fixed, etc.). Then they should be assessed again immediately after remediation to ensure that the remediation was effective. (Palmaers, 2013.)
At previous employers, we regularly assessed, patched and then assessed again. When I worked at California Polytechnic State University in San Luis Obispo, CA, I was responsible for hundreds of systems, and we patched and assessed every month. We did not have a specific regulatory reason to do so, but our CIO was of the mind we should be patching more or less continuously, and once a month was as often as we could manage. At TransUnion, another employer, we were subject to about every audit regime out there, SOX, PCI DSS, HIPAA and many others. Our vulnerability management program was driven by these regulatory requirements. Because of our scale and complexity (I managed about 5000 virtual machines) about as fast as we could patch and assess was quarterly. So I do not believe that there some hard and fast frequency of assessment I can give as “it depends”. The type of organization, the agility of the organization’s IT department, which regulatory/audit frameworks you are subject to, the size of the organization, all these concerns factor into the calculus of how often. “Never” is not acceptable. In my experience you should be assessing (and remediating) at an interval no less than quarterly. Also I would note that just patching is not enough. At some longer time frame, say every three years, you should have actual working procedures to REPLACE your systems. You can’t patch forever. Operating systems, applications and other components get to end-of-life and can no longer be patched. They must be replaced (and then assessed again.)