The memorandum herein addresses the cyber-attacked case findings of an external firm that resulted due to Wannacry, a malware based on the vulnerability assessment performed. Notably, after a review of the vulnerability scan result, it is important to focus on several issues related to the findings. First and foremost, the memorandum recommends vulnerability management process for the Mercury USA and looks into the details of the findings of the scan. The recommendations address the likelihood of threats if reasonable and appropriate cyber security procedures and protocols are not followed. Importantly, the concerns of the Mercury USA on cyber threat are valid and should be worked upon with agency.
IVulnerability Management Process Recommendation
The implementation of vulnerability management (VM) process requires Mercury USA to consider the regulations and legislation in the USA that governs VM process. The vulnerability management processes are identification, evaluation, treating, and reporting the vulnerability [1]. The rules and regulations define the nature of policies and procedures adopted by the Mercury USA. Based on the result of the scan of the vulnerability assessment, the available framework within the USA that the Mercury USA should implement is Payment Card Industry Data Security Standard (PCI-DSS). The current version of PCI-DSS that is recommended is version 4.0 of 2021. It allows for data protection for the card holder and user information shared through integrated system and allows for scalability.
The second process for the Mercury’s implementation of the VM is development of self-corporate policies. They must adhere to the USA data protection policies and regulations. During the development stages, the company starts with data classification based on sensitivity nature of the data. For instance, the data can be grouped into confidential, private, public, or proprietary categories. In the data classification, the confidential data group has high sensitivity while public category has the least data protection mechanisms [2]. Moreover, the company then considers the existing technology available for its application and recommend one based on security and cost of acquisition. The choice of the technology is made through SWOT Analysis or risk assessment.
Additionally, the Mercury USA performs vulnerability evaluation which is performed periodically, but at least quarterly. During the evaluation stage, scanning is carried out with a tool of choice. For instance, the scan report examined was performed using Nessus Professional. As a network vulnerability scanner, Nessus Professional is recommended due to its security capability though it has high cost of purchase. Therefore, Nessus Professional is highly recommended for network scanning for the Mercury USA since it generates a detailed report which offers the required technical information.
Vulnerability Scanning Tool Evaluation and Recommendation
Based on the examined report, it was realized that the OpenVas was the tool used in the scanning. Comparatively, the OpenVas does not offer adequate scanning as Nessus Professional does The former runs purely on Linux and has limitation in the scanning capability. An appropriate tool should have capability of running on diverse operating systems available for different technologies for applicability. OpenVas is limited on the CVEs since it is an open source scanner. Moreover, the tool does not provide technical suggestions for policy management required in the network vulnerability scan.
The examined report shows that the OpenVas scanning took only three minutes and scanned one host IP address. Additionally, the tool gathered only four vulnerabilities for the system. A stable scanning tool takes quite long time, which is approximately one hour, and scans several IP addresses [2]. Such tools provide adequate result and report an array of vulnerabilities within the network. From the report provided, one cannot identify critical vulnerability neither can they indicate the status of the network. Therefore, the Mercury USA should adopt Nessus Professional as the scanning tool to vigorous scan the network for adequate status determination.
Business Case Example
As a matter of priority, the Mercury USA should pay a price in protecting its network against cyber-attacks. It cannot be assumed that the top management excellently understands the threat and the loss associated with any cyber-attack. When unauthorized person gains access to the company’s network, they can steal confidential information. It can contain the company’s secret codes, bank records, as well as the employees’ and customers’ personal identification information and biodata [3].
Such information can be used to divert the commercial transactions and online money theft from the customer’s related bank accounts. From the company’s view, the organization may suffer liability arising from lawsuits due to data theft and safeguarding of biodata. Second, the company may occur losses due to money heist which can result from such suspicious activities. Lastly, every company thrives on reputation to gain customer and create market share. If the organization experiences a cyber-attack, it may lose customer base, thus, create low revenue [3]. Every company relies on customer loyalty and brand recognition to grow its profit.
Moreover, most companies spend heavily on marketing to create market share. The implantation of vulnerability management process requires employees’ training on cybercrime and related policies to assist in the implantation. Though such training comes at a cost, its benefits are worth the risk. Therefore, it is paramount for the Mercury USA to invest in the appropriate market scanning tool to swiftly identify vulnerabilities for quick response.
Closing
Based on the on the finding of the network scan and subsequent assessment of the vulnerability management, it is imperative that the company should implement the VM process. The case study above shows the dangers of cyber-attacks and the liabilities associated with such threat. Despite the adequate network scanning tool having high cost, the Mercury USA should invest in VM process to remain competitive with the technological trends and threats.
References
- T. Palmaers. “Implementing a Vulnerability Management Process”. SANS Institute. n.d. Web.
- R. Scholz, “Digital Threat and Vulnerability Management: The SVIDT Method“. Sustainability, vol. 9, no. 4, p. 554, 2017. Web.
- S. Talesh, “Data Breach, Privacy, and Cyber Insurance: How Insurance Companies Act as “Compliance Managers” for Businesses”. Law & Social Inquiry, vol. 43, no. 02, pp. 417-440, 2018. Web.