Suggest One Or More Policies That Would Help Mitigate

Suggest one or more policies that would help mitigate against attacks

Develop policies emphasizing robust access controls, remote access security, and employee training to reduce vulnerabilities. Implementing a comprehensive "Access Management Policy" will ensure secure user authentication, regular password changes, and account lockout procedures, thereby minimizing the risk of unauthorized access. A "Remote Access Policy" will regulate remote connectivity, enforce secure VPN usage, and restrict external access points, preventing attackers from exploiting remote desktop connections. Additionally, a "Employee Training and Awareness Policy" will educate staff about cybersecurity best practices, phishing risks, and proper handling of credentials, reducing the likelihood of social engineering attacks and credential misuse.

Suggest one or more controls to support each policy

Access Management Policy Support: Implement multi-factor authentication (MFA) across all login points, which is a technical preventative control that significantly enhances login security by requiring additional verification beyond passwords. Enforce password complexity and regular change policies through administrative controls to prevent easy-to-guess passwords, aligning with best practices for access security (ISO/IEC 27001, 2013).

Remote Access Policy Support: Configure firewalls to restrict remote desktop protocols (RDP) only through VPN connections, a technical preventive and detective control that reduces exposure of remote access points. Deploy network segmentation and a demilitarized zone (DMZ) as physical or technical controls that isolate remote access servers from critical internal systems, thus minimizing attack surface and containing potential breaches.

Employee Training and Awareness Policy Support: Conduct regular cybersecurity awareness training sessions—an administrative control—that educate employees on recognizing phishing emails and safe credential handling. This proactive control enhances the human element of security, reducing success rates of social engineering tactics (Kraus & Horváth, 2009). Implement simulated phishing exercises (technical detective control) to measure employee vigilance and improve awareness.

Paper For Above instruction

Protecting organizations from cyber threats requires a balanced combination of policies, controls, and continuous awareness efforts. In the case of No-Internal-Controls, LLC, a mid-sized pharmaceutical company that fell victim to a ransomware attack, the vulnerable security posture was characterized by insufficient access management, lax remote access controls, and limited cybersecurity awareness among employees. To mitigate similar threats, the implementation of targeted policies supported by appropriate controls is essential.

The first policy to consider is an "Access Management Policy," which mandates the use of strong, unique passwords, regular password updates, and account lockout procedures after multiple failed login attempts. These measures serve as preventative controls that reduce the likelihood of unauthorized access through brute-force or dictionary attacks. Incorporating multi-factor authentication (MFA) particularly enhances security by requiring users to verify their identities through an additional factor such as a mobile device or biometric, thus adding a layer of defense even if login credentials are compromised (Omar et al., 2012). Given the company's limited IT staff, deploying automated password management systems and MFA solutions that are cost-effective can streamline enforcement of such policies.

The second policy emphasizes securing remote connections: "Remote Access Policy." This policy should restrict remote desktop access exclusively through secure VPN connections, supported by firewalls configured to permit RDP traffic only over encrypted tunnels. The policy also advocates for network segmentation and establishing a DMZ, which physically or logically isolates remote access points from the core internal network. These controls serve as both preventative and detective measures by limiting exposure of critical assets and enabling monitoring of remote access attempts (Calder & Watkins, 2014). As the original attack exploited an overly accessible remote desktop port, implementing these controls will significantly reduce the attack surface.

Furthermore, the policy on "Employee Training and Awareness" targets the human vulnerability factor. Regular cybersecurity awareness training educates staff about recognizing phishing emails, password security, and safe browsing practices—an administrative control that strengthens the human element while reducing susceptibility to social engineering. Supplementing training with simulated phishing exercises provides ongoing, real-world testing of employee vigilance, serving as a detective control to evaluate and improve organizational security posture (Kraus & Horváth, 2009). Although budget constraints may impede extensive training programs, online modules and periodic reminders can be low-cost yet effective methods to foster a security-conscious culture.

Implementing these policies supported by the suggested controls will fortify No-Internal-Controls, LLC’s defenses against ransomware and other cyber threats. By focusing on practical, scalable, and cost-effective measures aligned with the company's size and resource constraints, the organization can significantly reduce the risk of future breaches and protect critical data assets in an increasingly hostile cyber environment.

References

  • Calder, A., & Watkins, S. (2014). IT Governance: An International Guide to Data Security and ISO27001/ISO27002. Springer.
  • International Organization for Standardization. (2013). ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements.
  • Kraus, S., & Horváth, G. (2009). Enhancing Information Security Awareness in Organizations. CyberSecurity Journal, 15(4), 237-245.
  • Omar, N., Kamaruddin, S., Hashim, F., & Abdullah, Z. (2012). Multi-Factor Authentication in Cybersecurity: A Systematic Review. International Journal of Cyber-Security and Digital Forensics, 1(3), 155-161.
  • Smith, R., & Tan, C. (2018). Best Practices for Securing Remote Desktop Protocol. Cybersecurity Review Quarterly, 10(2), 45-56.
  • Gordon, L. A., Loeb, M. P., & Zhou, L. (2011). The Impact of Information Security Breaches: Has There Been a Downside to the Growth in Electronic Commerce? Journal of Management Information Systems, 28(2), 153-175.
  • Kim, D., & Solomon, M. G. (2016). Fundamentals of Information Systems Security. Jones & Bartlett Learning.
  • Ross, R., & McEvilley, M. (2013). NIST Special Publication 800-53 Rev. 4: Security and Privacy Controls for Federal Information Systems and Organizations.
  • Whitman, M. E., & Mattord, H. J. (2017). Principles of Information Security. Cengage Learning.
  • Whitman, M. E., & Mattord, H. J. (2021). Principles of Information Security (6th ed.). Cengage.

Related Assignments