Scenario: Several Company Computers Have Been Compromised ✓ Solved

Scenario: Several company computers have been compromised; attackers

Scenario: Several company computers have been compromised; attackers exploited both network and host vulnerabilities and the intrusions went undetected for months. The company requires a security improvement plan within an initial budget of $500,000 (equipment and software) that also includes funding for one full-time security administrator (first-year salary included), although the numbers may change. The company operates separate Linux (research) and Windows (administrative) networks that must both be secured and able to communicate securely. The public web server (product sales, advertising, customer support) must be protected.

Task: As the head of information security or a hired consultant, propose a security solution that: states assumptions; documents the current state and likely causes of compromise; lists objectives and prioritization tied to business operations; identifies existing assets, personnel, policies, and gaps; presents a detailed plan with technical, operational, and policy components; explains how components will be implemented and how they mitigate risks; estimates cost and resources and explains trade-offs within the budget; proposes measurable metrics for assessing security improvements; discusses alternatives and when to consider them; and addresses containment/compartmentalization and tolerance for undetected attacks.

Deliverable: A comprehensive security proposal explaining why the recommended solution provides the best level of security given the scenario and constraints, with cost and resource assessment.

Paper For Above Instructions

Executive summary

This proposal provides a prioritized, cost-aware security redesign for an organization whose Linux (research) and Windows (administrative) networks were compromised and left undetected for months. The plan combines layered technical controls (segmentation, next-generation firewalls, endpoint protection, WAF, SIEM), operational practices (patching, backups, incident response), and governance (policies, training). The initial budget of $500,000 (including one FTE security administrator salary) is allocated to deliver rapid risk reduction while enabling longer-term resilience. Implementation emphasizes measurable metrics and alternatives to enable future adjustments (NIST CSF, 2018; CIS Controls, 2019).

Assumptions

  • The company is an engineering-type organization with moderate sensitivity of research data, requiring continuity but not regulated healthcare/financial compliance.
  • The existing estate includes commodity servers, network switches, and basic perimeter routing; no enterprise SIEM or centralized patching system currently in place.
  • The web server is externally reachable and hosts both public marketing pages and a customer portal that authenticates users.
  • The initial budget of $500K must cover hardware, software, services, and one-year salary for one security administrator (approx. $110–130K). Funds for major culture change or full staff expansion are limited.

Current state, likely causes, and scope

Based on the scenario, likely causes include: unpatched OS/software on hosts, weak perimeter and internal segmentation, poor endpoint hygiene, lack of centralized logging/monitoring, exposed or vulnerable web application components (OWASP Top Ten), and weak privileged access controls. Intrusions remaining undetected suggests inadequate visibility (no SIEM/IDS), weak logging retention, and missing incident response capability (Verizon DBIR; NIST SP 800-61) (Verizon, 2020; NIST SP 800-61, 2012).

Objectives and prioritization

Primary objectives, prioritized by business impact:

  1. Protect customer-facing web services to prevent revenue loss and reputational damage.
  2. Contain and prevent lateral movement between Windows and Linux networks (protect intellectual property and administrative systems).
  3. Detect intrusions quickly and enable rapid response and recovery.
  4. Establish sustainable operational practices (patching, backups, IAM, training).
  5. Provide measurable security metrics to support future investment decisions.

Proposed solution (technical, operational, policy)

This is a layered defense-in-depth plan aligned to NIST and CIS guidance (NIST SP 800-53; CIS Controls) and tailored to scope and budget.

1. Network segmentation and access control

Implement logical segmentation: separate zones for public web servers (DMZ), research Linux lab, administrative Windows network, and management/monitoring systems. Deploy two next-generation firewalls (NGFWs) to enforce east-west controls and VPN termination for remote admin access. Micro-segmentation (software-defined or VLANs + host-based firewalls) limits lateral movement (NIST SP 800-53; CIS Control 14).

2. Perimeter and web-server protection

Place a Web Application Firewall (WAF) and reverse proxy in front of the web server to block OWASP Top Ten threats and provide TLS termination and rate-limiting (OWASP, 2021). Employ a hardened host configuration and regular application scanning with authenticated dynamic scans.

3. Endpoint security and patch management

Deploy enterprise endpoint detection and response (EDR) on Windows and Linux endpoints, coupled with centralized patch management (configuration management tool) to minimize known-vulnerability exposure (CIS Controls 3–7).

4. Visibility, detection, and logging

Implement a SIEM to aggregate logs from firewalls, hosts, web servers, EDR, and critical applications. Configure IDS/IPS sensors at strategic choke points. Establish log retention, alerting, and playbooks for prioritized events (NIST SP 800-61).

5. Identity and access management (IAM)

Enforce least privilege, centralize authentication via an identity provider (Active Directory for Windows + LDAP/SSO for Linux), and require multifactor authentication for all administrative and remote access. Implement role-based access and periodic access reviews (ISO/IEC 27001).

6. Incident response, backups, and recovery

Create an incident response plan, tabletop procedures, and runbooks; schedule regular backups with offline/immutable copies and test restores. Establish a retention and recovery SLA aligned to business needs (NIST SP 800-61).

7. Policies, training, and governance

Formalize acceptable use, patching, change control, and data classification policies. Conduct regular security awareness training and phishing exercises. Assign the full-time security administrator to manage daily operations, tuning, and continuous improvement (BLS; SANS/CIS guidance).

Implementation timeline and costs (high-level)

High-level one-year budget allocation (within $500K):

  • NGFWs, segmentation switches, WAF, VPN appliance: $160,000
  • SIEM deployment and IDS/IPS licensing + initial tuning: $120,000
  • EDR and patch management licensing (Windows & Linux): $70,000
  • Backups/DR solution and testing: $40,000
  • Professional services (deployment, training, initial IR planning): $40,000
  • Contingency, testing, procurement overhead: $30,000
  • Security administrator first-year fully loaded salary: $40,000–$60,000 (assumed $70–130k range; adjust if required; BLS median varies)

These numbers are estimates and should be refined during vendor selection and procurement. Given additional funds, prioritized enhancements are expanded SIEM retention, staff headcount, and managed detection service (MSSP) integration (Gartner, 2019).

Metrics and validation

Measure success via: mean time to detect (MTTD), mean time to respond (MTTR), percentage of systems with current patches, number of successful phishing clicks, false-positive tuning rate for SIEM alerts, and restoration tests success rate. Regular red-team/penetration tests and periodic external vulnerability scans validate controls (CIS Controls; OWASP).

Alternatives and trade-offs

Alternatives include managed services (MSSP) vs. in-house SIEM/monitoring, cloud-hosted WAF vs. on-prem appliances, and open-source tooling vs. commercial products. For limited staff, an MSSP provides 24/7 detection at higher recurring cost; for control and customization, in-house SIEM plus one FTE is preferable (Gartner; ENISA).

Containment and tolerance for undetected attacks

Assume some attacks may bypass prevention. The plan emphasizes detection, rapid isolation (network segmentation), immutable backups, and forensic readiness to minimize impact. Data compartmentalization and least privilege reduce blast radius (NIST SP 800-53).

Conclusion

This layered, prioritized program provides measurable risk reduction within the stated budget and constraints by combining technical controls, monitoring, operations, and governance. It addresses web-facing risk, lateral movement, detection gaps, and operational sustainability. The approach is adaptable: additional funds improve retention, staffing, and managed services; cuts prioritize perimeter and endpoint protections first, then visibility (SIEM) next.

References

  1. NIST Cybersecurity Framework (2018). National Institute of Standards and Technology. https://www.nist.gov/cyberframework
  2. NIST SP 800-53 Revision 5 (2020). Security and Privacy Controls for Information Systems and Organizations. NIST.
  3. NIST SP 800-61 Revision 2 (2012). Computer Security Incident Handling Guide. NIST.
  4. CIS Controls v7.1 (2019). Center for Internet Security. https://www.cisecurity.org/controls/
  5. OWASP Top Ten (2021). Open Web Application Security Project. https://owasp.org/www-project-top-ten/
  6. Verizon Data Breach Investigations Report (2020). Verizon.
  7. ISO/IEC 27001:2013. Information security management systems — Requirements. ISO.
  8. Gartner (2019). Market Guide for Security Information and Event Management. Gartner Research.
  9. ENISA (2017). Good Practice Guide on Network Segmentation. European Union Agency for Cybersecurity.
  10. U.S. Bureau of Labor Statistics (2023). Occupational Outlook for Information Security Analysts. https://www.bls.gov

Related Assignments