The assignment instructions are provided in the screenshots. The Project overview and Project Scenario are below use these to complete the assignment.
- Project Overview
This project includes the following tasks:
- Gather product information
- Analyze and differentiate product vulnerabilities
- Recommendation based on empirical data collection
- Objective: Product Selection Recommendation
Organizations depend on cybersecurity professionals to evaluate technologies and products. Organizations may use the analysis to make purchasing recommendations or to establish equipment and deployment standards. Product analysis is a workplace skill that is universal throughout the business community. Evaluating technologies and products helps to ensure that the workplace environment remains secure.
As stated in the NIST Special Publication 800-36, product selection involves people throughout various departments within the organization. Each person involved in the product selection process must understand the importance of security.
In evaluating various products and technologies, the organization analyzes identified threats and vulnerabilities as part of the selection process.
Common Vulnerabilities and Exposures (CVE) provides common names (also called CVE Identifiers) for publicly known cybersecurity vulnerabilities. CVE’s provide reference points so that information security products and services have a common baseline for evaluation. CVE makes it easier to share data about tools, repositories, and services.
The CVE Details website allows individuals to perform a deep analysis in comparing technologies.
When selecting products and technologies, the organization’s team needs to consider the threat environment and the security functions to lessen the risks to an acceptable level.Website Links
NIST Guide to Selecting Information Technology Security Products
Common Vulnerabilities and Exposures
CVE Details
Project Scenario
Acme Corporation has recently experienced cyber-attacks and data breaches that have resulted in a significant financial loss and a loss of consumer confidence. Acme hired a new chief information security officer. The CISO informed the cybersecurity staff that the organization would undergo a comprehensive threat analysis and begin to collect data to establish purchasing and deployment standards. The CISO wants to ensure that the organization uses empirical data in selecting products and establishing of standards in lieu of opinions of staff members or a sales pitch from vendors.
Over the last decade, the federal government and other organizations collected substantial data regarding product vulnerabilities and flaws. This data is freely available to organizations interested in performing product analysis. The Common Vulnerability Exploit (CVE) database is one example of a national resource available to cybersecurity professionals used to perform product analysis. The CVE Details website allows individuals to perform a deep analysis in comparing technologies.
After several incident response investigations, it is apparent that many attacks were the result of browser and email vulnerabilities. The CISO has tasked the cybersecurity staff with analyzing the organization’s Internet browsers. The investigations identified that over 95% of all users employ one of four browsers: Google Chrome, Mozilla Firefox, Microsoft Internet Explorer, and Microsoft Edge.